o 

o 

CT' 


n 


WPS 


for  Running 
a  Security 
Program 


PAGE  20 


TECH:  Incident  Response: 

Why  Half  Measures  Can  be  Fatal  6 

RISK:  The  Intersection  of  Risk 
Management  and  Insurance  14 

LEAD:  Howto  Keep  Your 
Best  Workers  Happy  16 


Because  no  two  businesses  are  the  same. 

Introducing  the  flexible  new  range  of  IBM  System  x  servers. 

No  two  companies  have  the  same  IT  requirements.  That’s  why  IBM®  has  a  new  range  of  System  x® 
servers,  built  to  handle  workloads  ranging  from  simple  tasks  to  complex  cloud-based  and  business 
applications.  Featuring  the  latest  Intel®  Xeon®  E5-2600  and  E5-2400  series  processors,  these 
servers  can  be  customized  so  that  you  can  select  features  you  need  today  and  add  more  as  your 
business  needs  change.  Additionally,  IBM  Business  Partners  can  help  you  find  the  server  that 
meets  your  needs  and  pair  it  with  the  right  IBM  storage,  networking  and  software  solutions  for  a 
truly  optimized  infrastructure. 

A  new  range  of  customizable  servers  to  support  your  unique  business  needs. 


llli,ln 


-  - 


IBM  System  x3650  M4  Express 


$3,179 

OR  $84/MONTH  FOR  36  MONTHS’ 


PN:  7915-EBU 


Low  TOO  with  exceptional  performance  per  watt 


Flexible,  “pay-as-you-grow”  design  to  lower  cost  and  manage  risk 


Excellent  reliability  and  uptime  for  business-critical  applications  and  the  cloud 


IBM  System  x3530  M4  Express 


$1,899 

OR  S51/MONTH  FOR  36  MONTHS' 
PN:  7915-EBU 


2-socket  value  server  optimized  for  performance  and  value 


Dense  1U  design  for  many  general  business  workloads 


IBM  DNA  throughout,  including  RAS,  flexibility  and  easy  management 


IBM  System  Storage®  DS3500  Express 


See  for  Yourself 

The  new  IBM  System  x  Selection  Tool  can  help 
you  choose  the  right  server  and  save  money. 
Visit:  ibm.com/systems/flexibility 


$5,499 

OR  $135/MONTH  FOR  36  MONTHS’ 


PN:  1746A2S 


6  Gbps  SAS  system  delivers  midrange  performance  and  scalability  at  entry-level  prices 
Up  to  192  drives;  high  performance  and  nearline  SAS,  SSD  and  SED  SAS  drives 
Four  interface  options:  6  Gbps  SAS,  1  Gbps  &  10  Gbps  iSCSt/SAS  and  8  Gbps  FC/SAS 


phone  to  learn  more 


Contact  the  IBM  Concierge 
to  help  you  connect  to  the 
right  IBM  Business  Partner. 
1-866-872-3902 

(mention  102JE09A) 


IBM  Global  Financing  offerings  are  provided  through  IBM  Credit  LLC  in  the  United  States  and  other  IBM  subsidiaries  and  divisions  worldwide  to  qualified  commercial  and  government  customers.  Monthly  payments 
provided  are  for  planning  purposes  only  and  may  vary  based  on  your  credit  and  other  factors.  Lease  offer  provided  is  based  on  an  FMV  lease  of  36  monthly  payments;  please  contact  your  IBM  Global  Financing 
representative  for  actual  monthly  amounts.  Other  restrictions  may  apply.  Rates  and  offerings  are  subject  to  change,  extension  or  withdrawal  without  notice. 

IBM  hardware  products  are  manufactured  from  new  parts  or  new  and  serviceable  used  parts.  Regardless,  our  warranty  terms  apply.  For  a  copy  of  applicable  product  warranties,  visit 
http://www.ibm.com/servers/support/machine_warranties.  IBM  makes  no  representation  or  warranty  regarding  third-party  products  or  services.  IBM,  the  IBM  logo,  System  Storage  and  System  x 
are  registered  trademarks  of  International  Business  Machines  Corporation,  registered  in  many  jurisdictions  worldwide.  Other  product  and  service  names  might  be  trademarks  of  IBM  or  other 
companies.  For  a  current  list  of  IBM  trademarks,  see  www.ibm.com/legal/copytrade.shtml.  Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  of  Intel  Corporation  in  the  United  States  and  other  coun¬ 
tries.  All  prices  and  savings  estimates  are  subject  to  change  without  notice,  may  vary  according  to  configuration,  are  based  upon  IBM's  estimated  retail  selling  prices  as  of  7/2/12  and  may  not  include 
storage,  hard  drive,  operating  system  or  other  features.  Reseller  prices  and  savings  to  end  users  may  vary.  Products  are  subject  to  availability.  This  document  was  developed  for  offerings  in  the  United  States.  IBM 
may  not  offer  the  products,  features  or  services  discussed  in  this  document  in  other  countries.  Contact  your  IBM  representative  or  IBM  Business  Partner  for  the  most  current  Dricina  in  vour  aeoqraphic  area 
©2012  IBM  Corporation.  ^  a 


December  2012  /  January  2013  volume  n,  Number  10 


tech 

6  Half  Measures  Can  be  Fatal 
8  Adobe  Breached 

10  Stop  Them  Before  They  Predict  Again! 


More  Great 
Ideas  for 
Running 
a  Security 
Program 

20  Last  year’s 
collection  of  great 
ideas  was  so  well 
received  that  we 
decided  to  do  an 
encore 

ILLUSTRATIONS  BY 
MARK  BREWER 


■  Also  Inside 

2  Editor’s  Letter 
4  Publisher’s  Letter 


11  ID  Fraud  Is  Now  Organized  Crime 

11  Wisdom  Watch:  National  Security  Edition 

12  Antivirus  Startup  Linked  to 
Infamous  Chinese  Hacker 

risk 

14  Taking  a  Risk  on  Risk  Management 

15  The  Story  So  Far 

lead 

16  How  to  Keep  Your  Best  Workers  Happy 
19  It’s  Time  to  Start  Patching  the  Human  OS 


32  The  4th  Annual  CSO  Holiday  Gift  Guide 


December  2012  /  January  2013  www.csoonline.com  1 


Containing  Mobile  Threats 

For  a  short  and  very  enjoyable  history  lesson,  watch  this 
YouTube  video:  http://youtu.be/Gn7loT_WSRA. 

It’s  the  story  to  a  1930s-era  truck  driver 
named  Malcom  McLean,  who  tired  of  sitting 
in  the  shipping  port  for  days,  waiting  for  dock 
workers  to  unload  bales  of  cotton  from  his  truck. 

This  delay  cost  him  money.  McLean  had  the  idea 
of  simply  hoisting  the  entire  truckload  onto  the 
ship  in  one  fell  swoop.  This  insight  ultimately 
lead  to  the  modern  “containerized”  approach 
to  shipping. 

Pick  up  the  whole  container  and  plop  it  on 
the  ship!  Simple,  yes? 

Well,  no.  It  took  another  couple  of  decades 
before  McLean  actually  implemented  his 
idea.  He  had  to  design  the  container  itself, 
which  was  different  from  a  conventional  truck 
trailer  of  the  day.  And  he  had  to  build  an  en¬ 
tire  ship  with  a  stronger  deck  to  bear  the  load 
of  stacked  metal  containers.  Because  of  dif¬ 
ficulties  of  this  sort,  a  lot  of  people  thought 
McLean’s  idea  was  crazy. 

As  part  of  our  CSO  Perspectives  series  of 
one-day  events,  we  recently  convened  a  panel 
of  CISOs  in  Boston  to  talk  about  securing  mo¬ 
bile  computing.  One  of  our  esteemed  panelists 
said  his  company,  to  deal  with  the  demands 
of  bring-your-own-device  (BYOD)  movement, 
is  taking  the  containerization  approach.  The 
smartphone  or  tablet  is  regarded,  for  security 
purposes,  as  untrusted.  Users  can  do  more  or 
less  as  they  like-they  own  the  devices,  after 
all — but  corporate  apps  and  data  and  network 
access  are  isolated  from  whatever  else  is  on  the 
phone  or  tablet.  Containerized. 

Simple,  yes? 


I  asked  the  panelist  about  how  off-the- 
shelf  his  containerization  strategy  was.  “Not 
very,”  was  the  reply.  And  indeed,  as  in  McLean’s 
day,  the  simplicity  of  the  idea  conceals  a 
lot  of  technical  concerns.  Controls  can  be 
implemented  at  the  OS  level,  the  hypervisor 
level,  the  application  level...  (For  more  about 
different  approaches  to  containerization- 
without  too  much  head-spinning  technical 
detail-check  out  this  useful  blog  post  from 
Fix  mo :  h  ttp://fixmo.  com/blog/20 12/05/1 1/ 
mobile-device-sandboxing-101.) 

For  all  the  challenges  and  decisions,  though, 
containerization  still  looks  like  a  mission-critical 
concept  for  the  mobile  and  BYOD  era. 

-Derek  Slater,  Editor  in  Chief, 
dslaterldicxo.com 


CSO  (ISSN  1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc..  492  Old  Connecticut  Path,  P.0.  Box 
9206.  Framingham.  MA  01701-9208.  Periodical  Postage  Rate  at  Framingham.  MA  01701.  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number 
1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.0.  Box  1632,  Windsor.  ON  N9A  7C9.  Copyright  2011  by  CXO  Media  Inc.  All  rights  reserved.  Reproduction 
of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  or  personal  use  of  specific 
clients  is  granted  by  CSO  for  users  through  the  Copyright  Clearance  Center,  provided  that  a  fee  of  S3.50  per  copy  of  the  article  is  paid  directly  to  Copyright  Clearance 
Center.  222  Rosewood  Drive.  Oanvers.  MA  01970.  www.copyright.com.  Please  specify:  ISSN  !540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  articles— 
followed  by  this  symbol  f  Address  inquiries  to  CSO.  P.0  Box  3482,  Northbrook.  II  60065: 866  354-1125.  CSO  is  free  to  qualified  security  executives.  To  all  others  the 
one-year  basic  rate  is  $70  for  the  United  States  and  Canada.  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U.S.  and  Canada  and 
$15  International.  Please  allow  four  to  six  weeks  for  new  subscriptions  to  begin  Change  of  Address:  Go  to  www  omeda.com/custsrv/cso  and  follow  the  online  instructions. 
Postmaster:  Send  change  of  address  to:  CSO.  P.0.  Box  3482,  Northbrook.  IL  60065.  Printed  in  the  USA. 


2  www.csoonline.com  December  2012  /  January  2013 


Editor  in  Chief 

Derek  Slater 
dslater@cxo.com 
508  935-4213 
Twitter:  @derekcslater 

Managing  Editor 

Bill  Brenner 
bbrenner@cxo.com 
508  988-7587 
Twitter:  @billbrenner70 

Senior  Editor 

Joan  Goodchild 
jgoodchild@cxo.com 
508  988-7994 
Twitter:  @msjoanieg 

Copy  Editor 

Colleen  Barry 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director 

Steve  Traynor 

Editorial  Administrator 

Pat  Josefek 

Research  Manager 

Carolyn  Johnson 

Contributors 

Taylor  Armerding,  Mary  Brandel, 
John  E.  Dunn,  Elisabeth  Horwitt 
George  V.  Hulme,  Gregg  Keizer, 
Jeremy  Kirk,  Richard  Power, 
Jaikumar  Vijayan,  Bob  Violino 

Editorial/Advertising/ 
Business  Off  ices 

492  Old  Connecticut  Path, 

P.O.  Box  9208 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
cso@omeda.com 

IDG  Enterprise 

An  IDG  Communications  Company 

International  Data  Group 
Chairman  of  the  Board 

Patrick  J.  McGovern 

IDG  Communications,  Inc. 

CEO 

Bob  Carrigan 

Chief  Content  Officer 

John  Gallant 


WORLDWIDE' 


Tim  Llewellyn 


Do  you  know  your  physical  security 

access  infrastructure  may  be  open 
to  insider  and  outsider  threats? 


Take  Control  of  your  Physical  Security 
Infrastructure  with  SAFE  Solutions 

Our  SAFE  Software  Suite  is  a  Physical  Identity  and  Access 
Management  System  that  enables  a  global  approach  to  automate 
and  streamline  your  Physical  Security  Infrastructure.  With  SAFE 
Solutions  from  Quantum  Secure,  automate  and  streamline 
physical  access  management,  gain  visibility  and  take  control  of 
on/off  boarding  processes  across  global  facilities,  and  closely 
manage  restricted  areas  to  ensure  compliance  and  reduce 
corporate  risks. 

SAFE  delivers  attestation  reports  for  compliance  to  regulations 
such  as  SOX,  NERC,  PCI,  HIPAA  and  more.  SAFE  also  performs 
insider  risk  assessment  with  facility  access  analytics,  and  will 
operate  with  disparate  physical  access  (PACS)  and  HR  systems. 
The  SAFE  Software  Suite  is  designed  to  create  unprecedented 
efficiencies  and  lower  all  physical  access  related  risks. 


SAFE  is  ideal  for: 

>  Government 

>  Airports  and  Ports 

>  Telecom 

>  Energy  and  Utilities 

>  Healthcare,  Pharmaceuticals 

>  High  Technology 

>  Financial 

>  Higher  Education 

>  Transportation 


QUANTUM  SECURE 


©  2012  Quantum  Secure,  Incorporated.  All  rights  reserved. 


>  quantumsecure.com 


Failure  to  Close 


As  we  go  to  press,  the  2012  Cybersecurity  Act,  intended  to 
strengthen  critical  infrastructure  against  cyberattacks,  has  failed 
to  pass  the  Senate...again. 


Congress’s  failure  has  set  up  the  Obama 
administration  to  issue  an  executive  order  man¬ 
dating  that  businesses  meet  certain  cybersecu¬ 
rity  guidelines.  There  are  a  few  basic  problems 
with  government’s  approach  to  mandating 
cybersecurity  in  the  private  sector. 

First,  despite  the  input  of  intelligent,  well- 
meaning  cybersecurity  professionals,  these 
regulations  are  ultimately  written  by  lawyers 
and  politicians.  Very  often  the  laws  cannot  be 
applied  by  real-world  enterprises  struggling 
to  deal  with  a  myriad  of  threats.  They  are  too 
general;  they  are  too  specific;  they  demand  too 
much;  they  don’t  demand  enough. 

Secondly,  nearly  every  regulation  of  this  type 
leans  too  heavily  on  information  sharing.  “I’ll 
tell  you  what’s  happening  in  my  cyberworld 
if  you’ll  tell  me  what’s  happening  in  yours.”  If 
everyone  shared  freely,  it  just  might  work.  But 
more  than  ten  years  after  the  government 
began  to  aggressively  advocate  for  this  process, 
it  still  doesn't  happen.  The  only  place  I  have 
seen  it  succeed  is  in  the  Financial  Services  Infor¬ 
mation  Sharing  and  Analysis  Center.  Businesses 
are  too  worried  about  disclosing  too  much 
(which  might  get  them  sued),  and  the  govern¬ 
ment  doesn’t  want  to  share  because  it  needs  to 
control  information. 

Finally,  regulations  usually  fail  to  achieve 
their  goals.  For  example,  the  Federal  Informa¬ 
tion  Security  Management  Act  (FISMA)  was  a 


great  idea  for  getting  federal  agencies  to  im¬ 
prove  their  security.  Unfortunately,  it’s  become 
a  checkbox.  Two  years  ago,  the  administration 
decided  that  agencies  should  report  FISMA 
compliance  monthly  instead  of  annually.  Now 
companies’  limited  resources  go  to  making  sure 
the  boxes  are  checked  monthly,  instead  of  deal¬ 
ing  with  the  real  risks. 

If  you’re  reading  CSO,  I  don't  need  to  remind 
you  that  compliance  does  not  equal  security.  I 
just  wish  someone  in  the  federal  government 
would  realize  this. 

-Bob  Bragdon,  publisher 
bbragdon@cxo.com 


Executive  Committee 
Presidents  CEO  Michael  Friedenberg 
Executive  Assistant  to  the 
President  &  CEO  Pamela  Carlson 
SVP  of  Human  Resources  Patricia 
Chisholm 

SVP  of  Events  Ellen  Daly 
SVP  &  Chief  Content 
Officer  John  Gallant 
SVP  of  Digital  Brian  Glynn 
SVP  of  Strategic  Programs  &  Custom 
Solutions  Group  Charles  Lee 
SVP,  Group  Publisher  &CMO  BobMelk 
SVP  &General  Manager,  Online 
Operations  Gregg  Pinsky 
SVP  of  DEMO  Neil  Silverman 
SVP  &  COO  Matthew  Smith 
SVP  &  General  Manager,  CIO 
Executive  Council  Pam  Stenson 
SVP  of  Digital,  & 

Publisher  SeanWeglage 

Sales 

Publisher  Bob  Bragdon 
Senior  National  Sales 
Manager  Per  Melker 
East  Coast  Regional  Director, 
Integrated  Sales  Roz  Burke 
Account  Director,  Integrated 
Sales  West  MaryHazelton 
Sales  Associate  Sarah  Nadeau 

Integrated  Media  and  Online  Sales 
East  Coast  Online  Regional  Sales 
Manager  Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager  Erika  Karr 
Central  Online  Regional  Sales 
Manager  Stacy  Bryne 
Director  of  Ad  Operations  & 
Project  Management  Bill  Rigby 
Director,  Online  Account 
Services  Danielle  Tetreault 

Production 

VP  Production  Services  Chris  Cuoco 
Production  Manager  Heidi  Broadley 


Advertiser  Index 


Marketing 

Vice  President,  Marketing  Sue  Yanovitch 
Marketings  PR  Manager  LynnHolmlund 

List  Services 

Contact  Steve  Tozeski  of  IDG  List  Services 
at  508  820-8106  or  stozeski@idglist.com 


Webb  Chappell 


Solutions 

is  now 


ADT  Business 


Your  business  security  will  never  look 

When  you  have  a  challenging  security  issue,  you  need  to  see  it  solved  quickly.  That's  why 
you  need  Tyco  Integrated  Security.  We  are  the  industry  leader  in  commercial  security,  with 
world-class  monitoring  centers  and  thousands  of  qualified  technicians.  But  what  really  separates 
us  is  our  personal  passion  for  helping  you  protect  your  business.  As  your  security  provider, 
we'll  help  you  create  powerful,  intuitive  security  solutions  that  are  customized  just  for  you. 
We'll  show  you  the  future  of  security,  so  you  can  focus  on  the  future  of  your  business. 

That's  sharper  thinking. 


ACCESS  CONTROL 


FIRE 


N  T  R  U  S  I  O  N 


VIDEO 


www.TycolS.com  /  1.800.2.TYCO.IS 


0 


2012  Tyco  Integrated  Security.  All  Rights  Reserved.  Tyco  and  Tyco  Integrated  Security  are  marks  and/or  registered  .marks  WT'W 

Unauthorized  use  is  strictly  prohibited.  All  other  marks  are  the  property  df  their  respective  owners'.  AT  ■' 

•  .-  .r.V:, 


Half  Measures  Can  be  Fatal 

It’s  only  a  matter  of  time  before  you  suffer  a  breach.  What’s  your  incident-response  plan?  by  george  v.  hulme 


ROUGHLY  $60  BILLION  WILL  BE  IN- 
vested  in  IT  security  products  and  services  this 
year,  according  to  the  market  research  firm 
Gartner.  That’s  up  from  $55  billion  last  year, 
with  growth  expected  through  at  least  2016, 
when  security  spending  is  anticipated  to  hit  a 
staggering  $86  billion  annually. 

That's  no  small  sum,  and  leads  observers 
to  ask  whether  organizations  are  getting  value 
for  their  money.  With  more  than  560  mil¬ 
lion  records  exposed  in  3,438  data  breaches 
since  2005,  according  to  the  Privacy  Rights 
Clearinghouse,  the  only  honest  answer  can  be 
along  the  lines  of  “not  really.” 


According  to  the  tenth  annual  Global  In¬ 
formation  Security  Survey  (GISS),  conducted 
by  PricewaterhouseCoopers  in  partnership 
with  CSO,  many  of  the  12,052  business  and 
technology  execs  surveyed  reported  that  their 
organizations  fell  victim  to  a  wide  variety  of 
breaches.  Those  breaches  included  data  exfil¬ 
tration,  mobile  attacks,  application  breaches, 
network  breaches,  successful  social  engineer¬ 
ing  attacks,  and  lost  or  stolen  removable  stor¬ 
age  devices.  “One  of  the  things  I  try  convince 
clients  is  that  while  they  may  not  be  able  to 
prevent  certain  breaches,  they  can  certainly 
learn  to  respond  to  breaches  more  proactive¬ 


ly,”  says  Dave  Shackleford,  CTO  and  senior  vice 
president  of  research  at  IANS. 

With  roughly  70  percent  of  respondents 
to  our  survey  admitting  to  having  suffered  a 
breach  in  the  past  12  months,  it’s  amazing  so 
few  companies  heed  Shackleford’s  advice. 

Of  our  respondents,  only  27  percent  have  an 
incident-response  process  that  covers  report¬ 
ing  breaches  to  third  parties  that  handle 
data.  Only  24  percent  of  respondents  have 
an  incident-response  plan  in  place  as  part  of 
their  larger  security  policy.  And  even  when  a 
company  has  an  incident-response  plan,  key 
personnel  are  often  unaware  of  it. 


6  www.csoonline.com  DECEMBER  2012  /  JANUARY  2013 


CUSTO 


ADVERTORIAL 


POINT 


Kevin  Cunningham 

PRESIDENT  AND  FOUNDER, 
SAILPOINT 

Kevin  Cunningham,  founder 
and  president  of  SailPoint, 
shares  his  perspective  on 
why  it's  important  for  IT 
to  rethink  the  enterprise 
approach  to  identity  and 
access  management  (1AM). 


FOR  MORE  INFORMATION: 

Visit  www.sailpoint.com 


@SailPoint 

MANAGING  THE  BUSINESS  OF  IDENTITY 


cso 

Custom  Solutions  Group 


Managing  Access  In 
A  Perfect  Storm 

Modem  technology  fosters  improved  identity 
and  access  management  strategies 


Knowledge  is  power.  Productivity 
and  success  are  fueled  by  the  ability 
to  quickly  and  efficiently  access  data 
and  information.  With  the  changing 
balance  of  datacenter  and  cloud 
applications,  common  access  controls 
must  be  employed  to  ensure  security  and 
compliance  requirements  are  being  met 
across  the  gamut. 

Why  is  identity  and  access  management 
so  important  today? 

Identity  and  access  management  helps 
companies  manage  IT  risk  by  getting  a 
handle  on  who  has  access  to  what,  and 
whether  that  access  is  aligned  with 
users’  roles  and  responsibilities  within 
the  company.  This  is  crucial  when 
considering  the  growing  number  of 
compliance  regulations  and  the 
ever-present  threat  of  insider  fraud. 

Keeping  up  with  applications, 
as  well  as  thousands  of  people  joining, 
leaving  or  even  transferring  within 
the  organization  is  taxing  at  best.  The 
real  challenge  is  in  the  details,  and 
access  management  paints  a  complex 
picture.  From  a  technology  perspective, 
it  means  dealing  with  mainframe 
servers,  client-server  applications,  Web 
applications,  SaaS  applications  and 
more.  On  the  people  side,  the  myriad 
users  who  need  varying  levels  of  access 
to  these  systems  create  a  set  of 
permutations  that  is  often  impossible 
to  manage  manually. 

Success  is  achieved  by  providing 
timely  access  to  applications,  establishing 
and  managing  role-based  access,  and 
having  complete  visibility  into  application 
access  while  identifying  key  areas  of  risk. 
This  accelerates  business  by  allowing 


IT  to  maintain  tight  controls  while 
empowering  users. 

What  do  you  see  as  the  primary 
technology  trends  impacting  IT's  ability  to 
provide  identity  and  access  management? 

Consumerization  of  IT,  cloud  computing 
and  mobility  are  combining  to  form  the 
perfect  storm. 

IT  needs  to  think  from  the  consumer’s 
perspective  without  abandoning  its 
control  over  access  to  sensitive  data.  We  are 
seeing  the  rapid  adoption  of  cloud-based 
applications— oftentimes  at  a  departmental 
level  without  IT’s  awareness— and  limited, 
if  any,  security  controls.  With  mobility,  IT 
is  in  a  position  where  it  needs  to  rapidly 
consider,  adopt,  and  account  for  BYOD 
expectations. 

Amid  this  perfect  storm,  IT  still 
needs  to  be  able  to  know  who  is  accessing 
which  applications,  regardless  of  the  end 
device  they  are  using  (desktop,  mobile 
phone,  etc),  and  independent  of  where 
the  application  resides  (datacenter, 
cloud,  etc). 

Are  there  any  best  practices  IT  leaders 
should  consider? 

Prioritizing  identity  management  activities 
is  key  in  these  dynamic  environments 
where  the  demands  are  high,  the  user 
populations  are  constantly  changing,  and 
the  number  of  applications  to  manage  is 
skyrocketing. 

IT  leaders  will  improve  their  chances 
for  success  by  working  with  business 
leaders  to  select  an  identity  management 
solution  -  one  that  meets  today’s  needs  for 
greater  security,  but  also  provides  business- 
friendly  interfaces  that  make  it  easier  for 
business  users  to  participate  in  the  process. 


Tech 


This  is  no  surprise  to  Jeff  Horne,  practice 
director  of  research  and  malware  solutions  at 
Accuvant.  “The  vast  majority  of  companies 
I’ve  spoken  with  have  only  a  generic  incident- 
response  plan  in  place,  if  they  have  any  plan 
at  all.  And  that  response  plan  usually  only 
involves  re-imaging  breached  hosts  to  place 
them  back  on  the  network  with  updated 
patches  as  quickly  as  possible,”  Horne  says. 

The  danger,  explains  Horne,  is  that  when 
an  organization  quickly  wipes  a  breached  ma¬ 
chine,  or  set  of  machines,  it  loses  most  of  the 
information  about  the  attack  in  the  process. 
“They  never  really  find  out  what  the  infec¬ 
tion  vector  is  in  the  attack,  and  they  move  on 
thinking  they’ve  fixed  the  breach  when  they 
may  actually  have  not,”  he  says. 

However,  being  able  to  investigate  and 
respond  to  incidents  can  have  a  profound 
impact  on  security  effectiveness.  Not  only  can 
an  investigation  show  whether  the  damage 
from  an  attack  has  been  contained,  but  it  can 
also  be  used  to  discover  when  attackers  are 
likely  still  present  on  networks,  identify  their 
motive  (is  this  an  opportunistic  attack,  or  are 
they  targeting  something  specific?),  and  help 
prevent  future  attacks. 

“An  investigation  can  uncover  if  attacks 
have  exfiltrated  data,  such  as  having  cracked 
administrator  user  password  hashes,  or  if  they 


have  access  to  your  network  through  some 
type  of  remote-access  service,”  Horne  says. 

“If  you  don't  investigate,  you  could  be  dealing 
with  an  incident  where  you've  lost  millions  of 
credit  card  numbers  and  not  know  it.” 

Few  would  argue  that  such  knowledge  isn't 
powerful.  So  why  hasn't  incident  response 
been  taken  more  seriously? 

“Incident  response  is  challenging.  There 
are  organizations  out  there  that  work  on  it. 
Part  of  the  problem  is  that  incident  response 
involves  many  parts  of  the  company,  not  just 
IT  security,"  says  David  Mortman,  a  contribut¬ 
ing  analyst  at  IT  research  firm  Securosis  and 


former  CISO  at  a  major  software  provider. 
Those  other  people  who  should  be  involved  in 
incident  response  include  business  executives, 
telecommunications  managers  and  physical- 
security  managers,  as  well  as  people  in  other 
parts  of  the  IT  department,  such  as  database 
admins  and  application  teams,  who  don’t 
get  much  practice  at  responding  to  security 
events  as  part  of  their  day-to-day  duties. 

To  ensure  those  groups  become  familiar 
with  each  other  and  learn  how  to  properly  re¬ 
spond  to  security  breaches,  Mortman  says  he 
would  often  run  tabletop  incident-response 
drills.  “We'd  perform  a  live  drill  where  we’d 
[run  a  scenario  of]  servers  being  taken  offline, 
or  other  scenarios.  During  these  drills,  we’d 
learn  where  communications  and  expecta¬ 
tions  could  break  down  during  real  events,”  he 
says.  “It’s  absolutely  critical  to  practice  these 
incidents  because  anything  that  falls  out  of 
the  expected  range  of  daily  events  tends  to 
throw  people  for  a  loop,”  he  says. 

Shackleford  agrees.  “People  tend  to  stink 
at  response.  It’s  because,  in  a  large  way,  they 
don’t  practice.  They  don’t  know  what  to  do. 
That’s  the  thing  many  people  can’t  get  their 
arms  around.  If  you  have  a  dedicated  response 
effort,  you  actually  have  to  consistently  dedi¬ 
cate  time  to  it  so  that  you  have  a  workable 
plan.  And  you  practice  that  plan.  And  when 


something  happens,  you  know  what  to  do, 
and  people  are  trained,  and  you'll  have  the 
tools  in  place  to  respond  properly,”  he  says. 

Sounds  elementary,  and  it  is.  "If  you  can’t 
detect  and  respond,  your  IT  security  efforts 
certainly  aren’t  world-class,”  says  Mark  Lobel, 
a  principal  at  PwC.  “It  raises  the  question: 

Are  companies  ready  for  the  current  game? 
The  game  has  long  been  ‘prevent,  detect  and 
respond.’  But  I  think  the  game  has  evolved  to 
'detect,  contain  and  repeat,”’  says  Lobel. 


■  George  V.  Hulme  is  a  freelance  security 
and  technology  writer  based  in  Minnesota. 


"tff" 

Adobe  Breached 

ADOBE  SHUT  DOWN  ITS  SITE 
Connectusers.com,  a  community 
forum  for  users  of  its  Adobe  Connect 
Web  conferencing  platform,  be¬ 
cause  the  site’s  user  database  was 
compromised. 

A  hacker  called  “ViruS_HimA” 
claimed  he  accessed  one  of  Adobe’s 
servers  and  copied  a  database  con¬ 
taining  email  addresses,  password 
hashes  and  other  data  for  over 
150,000  Adobe  customers,  partners 
and  employees.  To  support  his  claim, 
the  hacker  published  some  records 
for  users  with  email  addresses  end¬ 
ing  in  adobe.com,  .mil  and  .gov. 

An  investigation  revealed  that 
“the  hacker  appears  to  have  com¬ 
promised  the  Connectusers.com 
forum  site,”  says  Wiebke  Lips, 
Adobe’s  senior  manager  of  corporate 
communications.  The  hacker  leaked 
644  records,  but  he  claimed  to  have 
accessed  the  entire  forum  data¬ 
base,  she  says.  The  forum  has  about 
150,000  registered  users,  Lips  says, 
and  Adobe  was  resetting  the  pass¬ 
words  of  affected  members. 

“It  does  not  appear  that  any 
other  Adobe  services,  including  the 
Adobe  Connect  conferencing  service 
itself,  were  impacted,”  Guillaume 
Privat,  director  of  Adobe  Connect, 
said  in  a  blog  post. 

Based  on  an  analysis  of  the 
leaked  data,  the  password  hashes 
were  generated  with  MD5,  a  hash 
function  that’s  known  to  be  inse¬ 
cure,  Tal  Be’ery,  a  security  research¬ 
er  at  Imperva,  said  via  email.  This 
means  they  can  easily  be  cracked  to 
recover  the  original  passwords. 

-Lucian  Constantin 


“If  you  can’t  detect  and  respond,  your  IT 
security  efforts  certainly  aren’t  world-class.” 

-MARK  LOBEL,  PRINCIPAL,  PRICEWATERHOUSECOOPERS 


8  www.csoonline.com  DECEMBER  2012  /  JANUARY  2013 


PERSPECTIVES 


CSO  Perspectives  on  a  regional  seminar 

MOBILE  SECURITY 

NOVEMBER  15,  2012  I  BOSTON,  MASSACHUSETTS 


THANK  YOU 

TO  OUR 
SPONSORS 


PLATINUM 


GOLD 


Entrust  Fixmo 


Securing  Digital  Identities 
&  Information 


veri7on 


SILVER 


O PERIMETER  RAPI  D7 

E  SECURITY 

(T)titus 

OFFICIAL  WIRE  SERVICE 


► 


MARKETWIRE 


CSO’S  2013  EVENTS: 


CS040  Security 
Confab  +  Awards 

April  2-3,  2013 
Atlanta,  Georgia 

CSO  Perspectives 
on  Mobile  Security 

February  6,  2013 
New  York,  New  York 
May  1,  2013 
Dallas,  Texas 


CSO  Perspectives 
on  Cyber  Security 

March  20,  2013 
Washington,  DC 


CSO  Perspectives 
on  Securing  Big  Data 

May  15,  2013 
New  York,  New  York 
June  19,  2013 
Chicago,  Illinois 
November  2013 
Los  Angeles,  California 
November  2013 
Dallas,  Texas 


PRODUCED  BY 


TO  LEARN  MORE 
OR  REGISTER,  VISIT: 

WWW.CSOONLINE.COM/EVENTS 


Tech 


Bill  Brenner,  managing  editor 
CSOontine's  Salted  Hash  blog  and  newsletter  covers 
the  news  as  it  happens:  blogs.csoonline.com/blog/cso 


WELCOME  TO  MY  THIRD  ANNUAL  PLEA 
for  security  vendors  to  put  away  those  self- 
evident  New  Year’s  predictions.  It’s  that  time 
of  year.  Even  as  I  write  this,  I've  gotten  three 
prediction  emails  since  firing  up  my  laptop. 

I’ve  never  been  a  fan  of  security  predic¬ 
tions,  though  I’ve  written  about  them  too 
many  times  to  count.  I  guess  that  makes  me 
a  hypocrite.  I  could  tell  you  that  I  only  do  it 
because  my  bosses  always  make  me  write 
about  it,  but  why  pass  the  buck?  In  the  world 
of  tech  media,  we  all  write  about  predictions. 
It’s  only  a  matter  of  time  before  I  get  the 
predictions  assignment  from  CSO's  beloved 
editor-in-chief. 

It’s  like  doing  one  of  those  chores  you  hate 
because,  like  changing  diapers  or  taking  out 
the  trash,  it  has  to  be  done. 


Predictions  are  harmless.  But  here's  my 
beef:  They  change  very  little  from  year  to  year. 

For  eight  years,  I’ve  seen  predictions  that 
this  will  be  the  year  of  mobile  malware  or 
the  year  of  a  federal  data  security  law.  Here’s 
what  Symantec  offered  me  from  its  2013 
crystal  ball: 

■  Conflicts  between  nations,  organizations 
and  individuals  will  predominately  take 
place  in  the  cyber  world. 

■  As  users  shift  to  mobile  and  cloud,  so  will 
attackers,  especially  exploiting  Secure 
Sockets  Layer  (SSL)  Certificates  used  by 
mobile  devices  and  applications. 

■  Malware  continues  to  spike — particularly  as 
companies  seek  to  drive  mobile  ad  revenue. 

■  Consumers  on  social  networks  will  face 
new  security  dangers  and  tricks. 


Sorry,  Symantec,  but  these  aren't  really 
predictions.  It’s  stuff  that's  already  happen¬ 
ing.  It’s  been  happening  for  quite  some  time, 
actually.  Tell  me  something  new. 

Vendors  particularly  love  declaring  their 
competors’  technologies  dead.  For  example, 
there  was  the  prediction  that  intrusion-de¬ 
tection  systems  were  on  the  brink  of  death. 
That  declaration  was  many  years  ago,  and  the 
technology  remains  in  demand.  Then  there 
was  the  prediction  that  2009  would  be  the 
year  penetration  testing  died.  Most  of  the 
security  practitioners  I  talk  to  still  swear  by 
that  technique. 

My  inbox  has  been  getting  hammered  with 
2013  vendor  security  predictions  since  Hallow¬ 
een.  They  all  pretty  much  state  the  obvious: 

■  Mobile  malware  is  going  to  be  a  big  deal. 

■  Social  networking  will  continue  to  be 
riddled  with  security  holes. 

■  Technologies  A,  B  and  C  will  go  extinct. 

■  Microsoft  will  release  a  lot  of  security 
patches. 

■  Data  security  breaches  will  continue  to  get 
more  expensive. 

Looking  at  the  predictions  for  2012  that 
were  sent  to  me  at  this  time  last  year,  I  found 
that  any  of  them  could  be  repackaged  as  pre¬ 
dictions  for  2013  and  nobody  would  know  the 
difference. 

Here  are  some  examples  from  the  Zscaler 
Labs  Research  Team: 

■  Political  hacktivism  will  escalate. 

■  Cloud  computing  will  be  fraught  with  se¬ 
curity  risks. 

■  App  stores  like  the  Android  Marketplace 
will  continue  to  be  polluted  with  malicious 
programs. 

■  Social  networking  will  meet  social 
engineering. 

Some  of  my  vendor  friends  will  tsk  me  for 
raining  on  their  New  Year’s  parade.  So  will  the 
PR  people  they  pay  to  distribute  this  stuff. 

But  I  also  know  more  than  a  few  PR  people 
are  reading  this  and  agreeing  with  me. 


lO  www.csoonline.com  DECEMBER  2012  /  JANUARY  2013 


SALTED  HASH 


Stop  Them  Before  They  Predict  Again! 


Thlnkstock 


ID  Fraud  Is  Now  Organized  Crime 


THE  ENTREPRENEURIAL  SMALL- 
business  spirit  is  alive  and  well  in  cyberspace. 
Unfortunately,  a  significant  piece  of  it  is  de¬ 
voted  to  crime,  and  a  significant  piece  of  that 
involves  identity  fraud. 

A  study  released  last  month  by  ID  Analytics 
found  that  there  are  more  than  10,000  iden¬ 
tity-fraud  rings  in  the  United  States.  Some 
are  led  by  career  criminals,  but  a  surprising 
number  amount  to  mom-and-pop  operations 
involving  friends  and  family,  according  to  the 
study’s  author,  Stephen  Coggeshall. 

Coggeshall  told  CSOonline  that  although 
about  two-thirds  of  ID  fraud  attempts  are 
shut  down  before  they  do  any  damage,  that 
obviously  means  a  third  get  through.  While 
the  average  income  of  fraud  ring  members  is 
unknown,  the  crime  is  clearly  paying  off,  he 
says.  “If  these  people  weren’t  successful,  they 
wouldn’t  be  doing  it." 

The  study,  which  covered  the  past  decade 
but  put  most  of  its  focus  on  the  past  three 
years,  included  an  examination  of  more  than 
a  billion  applications  for  bank  cards,  wireless 
services  and  retail  credit  cards.  It  found  iden¬ 
tity  fraud  rings  attacking  all  three  industries, 
with  wireless  carriers  the  favorite  target. 

Coggeshall  says  he  found  fraud  rings 
throughout  the  United  States,  but  most  were 
in  a  “belt  of  fraud  stretching  through  the  rural 
Southeast,"  from  Virginia  to  Texas.  He  says 


one  of  the  things  that  surprised  him  was  that 
while  lone  individuals  involved  in  fraud  tend 
to  come  from  urban  areas,  the  fraud  rings 
tend  to  be  in  rural  areas.  One  of  the  things 
that  likely  makes  this  an  attractive  business 
opportunity  in  a  poor  economy  is  that  even 
when  attempted  frauds  are  caught  and  reject¬ 
ed,  the  chance  of  perpetrators  being  arrested 
and  prosecuted  is  low. 

Coggeshall  broke  ID  fraud  into  three  major 
categories.  “Most  people  know  about  identity 
theft,”  he  says,  “where  somebody  steals  your 
personal  information." 

Coggeshall  calls  the  two  less  well-known 
types  “synthetic  identity  fraud”  and  “identity 
manipulation.” 

The  first  is  the  fabrication  of  a  new  iden¬ 
tity  that  has  no  connection  to  a  real  person. 
Generally,  the  creator  will  start  by  using  that 
identity  for  purchases  like  a  pre-paid  cell 
phone  “to  try  to  build  up  some  fidelity  on  it." 
Then  the  fake  identity  will  be  used  to  commit 
higher-level  fraud. 

Identity  manipulation  is  more  common  and 
simpler.  It  involves  things  like  changing  one 
digit  of  a  Social  Security  number  (SSN)  or  a 
birthdate,  while  keeping  other  elements  of  a 
real  ID  the  same.  One  technique,  called  SSN 
tumbling,  involves  making  repeated  changes 
to  known,  valid  SSNs  for  multiple  account  ap¬ 
plications.  -Taylor  Armerding 


WISDOM  WATCH 


National  Security 
Edition 

David  Petraeus.  The  ex-CIA 
director  may  have  com¬ 
promised  national  security  during 
his  affair  with  biographer  Paula 
Broadwell.  Maybe  she  never  had  ac¬ 
cess  to  his  CIA  email  account,  but 
the  fact  that  she  used  the  retired 
general’s  personal  email  account  to 
harass  another  woman  raises  ques¬ 
tions  about  how  much  access  she  re¬ 
ally  had  to  sensitive  intelligence. 

Protection  of  civil  liberties. 
Google  says  government  sur¬ 
veillance,  as  measured  by  requests 
for  user  data,  is  rising  steadily 
worldwide,  with  the  United  States 
leading  the  pack.  Having  Big  Brother 
constantly  watching  you  is  too  high 
a  price  to  pay  for  security. 

Cybersecurity 
legislation.  Some 
government  officials  insist  we  need 
a  national  cybersecurity  law  to 
bridge  the  gap  in  security  between 
the  public  and  private  sectors.  The 
current  bill  before  Congress  appears 
doomed,  but  that’s  not  a  bad  thing. 
The  information-sharing  component 
would  have  allowed  for  unprec¬ 
edented  invasions  of  privacy  in  the 
name  of  national  security. 

NASA.  We’re  tired  of  having 
to  put  the  space  agency  in 
here  for  data  security  breaches,  but 
it  can’t  seeem  to  prevent  incidents. 
Last  month,  personally  identifiable 
information  of  “at  least”  10,000 
NASA  employees  and  contractors 
was  put  at  risk  following  the  theft  of 
an  agency  laptop.  -B.B. 


December  2012  /  January  2013  www.csoonline.com  11 


Tech 


Antivirus  Startup  Linked  to  Infamous  Chinese  Hacker 


ANVISOFT,  A  CHINESE  ANTIVIRUS  STARTUP,  HAS  BEEN 
linked  to  an  infamous  hacker  suspected  of  developing  sophisticated 
malware  used  to  siphon  sensitive  information  from  Department  of  De¬ 
fense  contractors  in  2006. 

Through  some  high-tech  sleuthing  on  the  Web,  Brian  Krebs,  author 
of  the  Krebs  on  Security  blog,  found  Anvisoft-connected  IP  addresses 
registered  to  “tandailin”  in  Gaoxingu,  China. 

Tan  Dailin,  a.k.a.  Withered  Rose,  was  the  subject  of  Verisign’s  2007 
iDefense  report,  which  described  Dailin  as  the  then-20-year-old  leader 
of  a  state-sponsored  hacking  team  called  NCPH,  which  stood  for  Net¬ 
work  Crack  Program  Hacker. 

In  2006,  the  group  was  linked  to  multiple  zero-day  attacks  against 
Microsoft  Office  vulnerabilities.  Some  of  the  attacks  were  aimed  at  de¬ 
fense  contractors,  Krebs  reported. 

Anvisoft  did  not  respond  to  a  request  for  comment,  and  has  been 
coy  in  answering  questions  on  its  user  forum.  Krebs  acknowledged  that 
Dailin  might  not  be  connected  to  the  company. 

“This  may  all  be  a  strange  coincidence  or  hoax,”  Krebs  wrote  in  a 
November  blog  post.  "Anvisoft  may  in  fact  be  a  legitimate  company, 
with  a  legitimate  product;  and  for  all  I  know,  it  is.  But  until  it  starts  to 
answer  some  basic  questions  about  who's  running  the  company,  this 
firm  is  going  to  have  a  tough  time  gaining  any  kind  of  credibility  or 
market  share.” 

Small  businesses  and  consumers  should  take  the  report  as  a  caution 


to  only  use  “well-known  and  trusted  branded  products  in  such  a  sensi¬ 
tive  area  as  malware  protection,”  says  Al  Hilwa,  an  analyst  at  IDC,  a 
unit  of  CSO's  parent  company. 

Threats  like  the  possibility  of  hackers  masquerading  as  a  legitimate 
anti-malware  company  are  “why  consumer  technologies  are  moving  to 
the  curated  platform  app  store  model  that  we  see  today  with  mobile 
devices,  where  the  responsibility  of  screening  applications  and  utilities 
is  handled  by  well-known  and  trusted  branded  companies,”  Hilwa  says. 

While  not  condoning  Dailin’s  past,  Himanshu  Dwivedi,  founder  of 
security  consulting  firm  iSEC  Partners,  says  sophisticated  hackers  are 
better  equipped  to  build  antivirus  products  than  the  average  software 
developer  without  a  background  in  security. 

“When  you  take  a  pure  security  person  to  write  a  product,  for  me 
personally,  and  this  is  my  bias,  I  actually  have  more  confidence  that 
that  product  is  secure  because  it’s  written  by  someone  who  knows  all 
the  ways  to  bypass  software,”  Dwivedi  says. 

Nevertheless,  to  buy  a  security  product  from  someone  like  Dailin 
would  expose  the  buyer  to  unnecessary  risk,  says  Gartner  analyst  Peter 
Firstbrook.  “I  would  rather  trust  my  PC  security  to  a  good  white-hat 
hacker  than  a  reformed  black-hat  hacker.” 

China  is  known  as  a  hotbed  for  cyberespionage.  The  Department 
of  Defense  recently  reported  that  Chinese  hackers  aiming  malware  at 
U.S.  industries  and  government  agencies  were  a  threat  to  the  national 
economy.  -Antone  Gonsalves 


12  www.csoonline.com  December  2012  /  January  2013 


CSO  Forum  on  Linked  Q 


Share  best  practices  and  insight 
and  discuss  your  challenges  with 
your  security  executive  peers. 

The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 

If  you  are  a  senior  security  or  IT  professional,  we’d  love 
to  have  you  join— apply  for  membership  today. 

Visit  linkedin.com  click  Groups  and  search  for  “CSO  Forum" 

Facilitated  by  CSOOnline.com  and  CSO  Magazine 

CSO 

BUSINESS  RISK  LEADERSHIP 


d  \Ujkjk  ■ 


^  CSO  Forum 


Taking  a  Risk  on  Risk  Management 

A  law  firm’s  new  subsidiary  bets  on  the  growing  interrelationships  in  operational  risk  by  derek  slater 


GREG  KADEN  IS  A  LAWYER  SPECIAL- 
izing  in  corporate  bankruptcy  at  Goulston 
and  Storrs.  Seeing  changes  and  trends  in  risk 
management  and  insurance,  Kaden  and  a 
few  colleagues  pitched  the  creation  of  a 
subsidiary  called  Fort  Hill  Risk  Management 
( www. forthillrisk.com ) . 

Kaden  spoke  with  CSO  about  how  internal 
controls  and  insurance  work  together  for  ef¬ 
fective  risk  management. 

CSO:  Are  more  companies  thinking  more 
about  risk  management  in  these  turbulent 
times? 

Greg  Kaden:  It's  difficult  to  generalize 


from  my  perspective,  which  has  been  on  a 
case-by-case  basis.  Some  organizations  are 
very  sophisticated  and  have  very  detailed  op¬ 
erational  controls,  and  some  others  are  more 
averse  even  to  purchasing  insurance-they 
may  think  it's  not  worth  the  expense,  and  it 
isn’t  clear  whether  they’ve  actually  done  a 
cost-benefit  analysis  or  have  a  strong  sense  of 
their  own  internal  controls.  Some  are  flying  by 
the  seat  of  their  pants. 

Goulston  and  Storrs  is  a  big  firm— 
about  200  lawyers.  Why  create  Fort  Hill, 
a  risk  management  subsidiary? 

There  were  three  or  four  of  us  with 


some  insurance  bent  to  our  practices — 
[together  these  amounted  to  a]  very  frag¬ 
mented  practice  that  had  developed  in  the 
firm  on  almost  an  ad  hoc  basis.  So  it  made 
sense  to  institutionalize  that  practice  and  or¬ 
ganize  our  thinking. 

But  the  idea  also  stemmed  from  a  couple 
of  other  considerations.  At  a  law  firm,  you  are 
very  much  tied  to  hourly  billing.  There’s  little 
flexibility  in  terms  of  fee  arrangements,  or 
bringing  in  non-lawyers  to  assist  with  work. 

So  setting  up  a  subsidiary  allows  us  to  do  flat- 
fee  engagements,  contract  with  people  who 
aren’t  affiliated  with  Goulston  and  Storrs  who 


14  www.csoonline.com  DECEMBER  2012  /  JANUARY  2013 


Thinkstock 


Derek  Slater,  Editor  in  Chief 
dslater@cxo.conr,  Twitter:  @  derekcslater 


have  some  specific  expertise,  and  so  on. 

Additionally,  in  the  traditional  risk  man¬ 
agement  world,  there's  a  lot  of  confidential 
information  that  gets  exchanged,  and  there 
are  nondisclosure  agreements  providing  some 
protection  for  that  information.  But  a  nice 
thing  about  our  Fort  Hill  operation  is  that  we 
can  make  the  additional  argument:  If  there’s  a 
subpoena,  some  of  the  discussion  is  in  the  na¬ 
ture  of  legal  advice,  and  so  it  can  be  covered 
by  attorney-client  privilege.  So  that  provides 
an  additional  layer  of  protection  for  some  of 
that  confidential  information. 

There  seems  to  be  a  poor  connection  in 
many  organizations  between  risk  manag¬ 
ers  and  the  people  in  charge  of  in-house 
security.  Do  you  think  that’s  true? 

Part  of  the  philosophy  that  we  want  to 
bring  to  the  table  recognizes  that  very  dis¬ 
connect.  One  of  our  primary  approaches  in 
providing  services  is  to  take  a  very  holistic 
view-broader  probably  than  the  typical 
straight  insurance  broker  would  take.  We  want 
to  understand  the  business  operation,  look 
at  the  indemnification  agreements  that  are 
in  place,  the  key  contracts.  Broadly  speaking, 
what  are  your  real  exposures?  What  can  be 
mitigated  by  a  non-insurance  contract,  or  by 
insurance  policy?  What  risks  can  be  assumed 
or  ignored?  The  fact  that  we  think  that’s  a 
relevant  approach  speaks  to  the  idea  that  we 
observe  that  same  disconnect  between  inter¬ 
nal  risk  management  elements. 

I  don’t  have  a  magic  identifier  as  to  what 
constitutes  a  strong  internal  risk-control  envi- 
ronment-it  seems  to  be  based  on  the  people. 

I  have  seen  companies  with  thoughtful,  risk- 
averse  people  who  are  also  good  business 
people  and  who  can  strike  the  right  balance.  I 
have  also  run  into  very  successful  businesses 
that  are  well  run  and  have  good  management 
overall,  but  for  some  reason  have  underdevel¬ 
oped  insurance  programs. 

For  executives,  insurance  at  times  can  be 
very  much  a  check-the-box  exercise.  “OK,  we 
have  a  management  liability  policy,  a  general 
liability  policy,  so  our  risks  are  covered.”  They 
don’t  focus  on  whether  the  policies  in  place 
are  really  compatible  with  the  needs  of  the 
business,  or  the  risk  appetite  of  the  business. 


BLOG  POST 


The  Story  So  Far 

AS  I  SAID  AT  THE  OUTSET,  IN  THIS  SPACE  I’LL  BE  COVERING  ENTER- 
prise  risk  management  (ERM)  from  a  security  point  of  view.  But  since  this  col¬ 
umn  is  by  no  means  our  first  foray  into  this  topic,  why  don’t  I  point  you  to  some  of 
CSOonline’s  previous  coverage  of  risk  management-articles  that,  together,  provide 
a  practical  grounding  in  the  subject. 

1.  Jeff  Spivey  (former  president  of  ASIS,  now  affiliated  with  RisklQ)  provides  a 
great,  accessible  overview  of  ERM  at  www.csoonline.com/article/461481. 

2.  This  article  offers  a  practical  approach,  a  strategy  for  putting  together  some 
homespun  holistic  risk  management  if  your  organization  isn’t  ready  to  go  whole-hog 
with  a  formal  framework  like  COSO:  www.csoonline.com/article/610063 

3.  This  article  about  organizing  for  ERM  offers  a  deeper  dive  into  how  several 
large  companies  are  structuring  their  risk  management  efforts:  www.csoonline. 
com/article/682961 

4.  Hopefully  you  know  your  company’s  risk  managers-a  title  that’s  long  been  in 
use  in  the  insurance  world.  They’re  the  ones  who  buy  insurance  policies  for  the  com¬ 
pany.  (Spivey  refers  to  this  function  in  the  first  article  I  linked  to.)  Security  is  tasked 
with  reducing  risks;  insurance  policies  transfer  risks  to  another  party-for  a  fee,  of 
course.  Both  tactics  are  key  parts  of  ERM.  What  are  your  risk  managers  thinking 
about?  www.csoonline.com/article/695456 

5.  And  lastly,  this  interview  with  the  CSO  of  Georgetown  University  reveals  how 
the  school  managed  to  translate  risk-management  ideas  into  focused  projects  that 
have  increased  both  security  and  efficiency:  www.csoonline.com/article/595519 

Next  time  I  will  point  you  to  some  in-depth  coverage  of  risk  measurement  prac¬ 
tical,  particularly  in  regards  to  IT.  After  that,  we’ll  charge  forward  with  new  inter¬ 
views  and  observations  from  across  the  risk  management  spectrum. 


You  would  think  that  with  the  last  decade 
with  Sarbanes-Oxley  and  Dodd-Frank,  that 
would  be  changing. 

Why  is  it  valuable  or  necessary  to  have 
the  flexibility  to  bring  in  outside  experts? 

Part  of  our  philosophy  is  that  we  want  to 
work  collaboratively  with  existing  brokers  or 
partners.  We  don’t  want  to  displace  others 
just  for  the  purpose  of  getting  all  the  glory,  or 
telling  people  they’ve  been  doing  it  all  wrong. 
So  in  that  spirit,  we  recognize  that  there  are 
going  to  be  situations  where  either  our  exper¬ 
tise  is  limited,  or  the  engagement  would  ben¬ 
efit  from  the  help  of  a  non-lawyer. 

For  example,  in  a  situation  where  we  might 
be  having  difficulty  making  headway  with  an 
underwriter,  it  could  help  to  have  someone 
with  an  underwriting  background  brought  in. 
We  interviewed  a  guy  who  is  a  retired  lawyer 


with  excellent  crisis-management  skills,  so  if 
there  is  an  engagement  with  a  PR  crisis  brew¬ 
ing,  we  could  call  in  his  experience. 

How  does  your  personal  specialty  of 
bankruptcy  law  fit  into  this  equation? 

My  interest  in  insurance  developed  from 
being  a  bankruptcy  lawyer.  Any  time  a  com¬ 
pany  failed,  the  executive  team  inevitably 
wound  up  in  trouble.  Fingers  were  pointed  at 
them  by  creditors.  So  insurance  policies  need 
to  be  targeted  at  the  gap  between  the  bal¬ 
ance  of  obligations  to  creditors  and  the  ability 
of  the  company  to  repay  those  obligations. 

In  creating  Fort  Hill,  we  saw  three  areas 
of  insurance  that  are  particularly  relevant  in 
today’s  environment:  management  liability, 
data  security,  and  environmental.  Among  the 
three  founding  members,  we  have  those  areas 
well  covered. 


December  2012  /  January  2013  www.csoonline.com  15 


j®; 


LEADERSHIP  STRATEGY  MANAGEMENT  SKILLS  CAREER 


How  to  Keep  Your 
Best  Workers  Happy 

Career  experts  offer  advice  on  retaining  your  highest-quality  talent  so 
they  don’t  leave  to  work  for  your  competitor  by  joan  goodchild 


YOU  WANT  THE  BEST  ON  YOUR  SECU- 
rity  team.  And  once  you’ve  got  them,  you 
want  to  keep  them  happy  and  keep  them  in 
your  organization. 

Three  security  career  and  management 
experts  weigh  in  on  what  security  managers 
need  to  do  to  retain  top-notch  security  talent. 

First,  figure  out  whether  you 
have  the  right  team.  “Don't  assume 
the  people  you  currently  have  in  place  are 


the  people  you  need  to  have  on  your  security 
team,”  says  Lenny  Zeltser,  a  senior  faculty 
member  with  SANS  Institute  and  a  product 
management  director  at  NCR.  Zeltser  has 
hired  many  people  over  the  years,  and  he 
believes  the  first  step  to  retaining  great  tal¬ 
ent  is  to  ensure  you  have  highly  skilled,  well- 
matched  team  members  first. 

“It  is  very  difficult  to  admit  to  oneself  that 
people  are  on  the  borderline  in  terms  of  per¬ 


sonality  and  match-and  may  not  be  the  best 
for  your  organization.  As  human  beings,  we 
tend  to  want  to  stay  with  the  status  quo  and 
say,  This  is  the  team  I  have  here.  If  I  have  lem¬ 
ons,  I’ll  make  lemonade.'  But  that’s  not  the 
right  strategy." 

That  may  mean  changing  job  descrip¬ 
tions,  restructuring  departments  or  shuffling 
employees  to  places  where  they  are  better 
suited.  Or,  in  a  difficult  situation,  letting  some 
people  go. 

“Just  like  you  provide  feedback  and  review 
to  employees  once  or  twice  a  year,  as  a  man¬ 
ager  you  want  check  in  with  yourself,  too,  on 
whether  who  you  have  on  the  team  is  right 
for  its  goals.  Your  security  team  may  have  had 
different  goals  when  first  created.” 

Evaluate  your  pay  structure,  if 
you’ve  evaluated  where  your  team  stands, 
and  what  kinds  of  skills  you  want  to  see  in 
your  department,  it  is  time  to  look  at  whether 
your  organization's  compensation  structure  is 
up  to  market  standards. 

“Recruiting  and  retaining  are  essentially 
married,"  says  Lee  Kushner,  founder  and  CEO 
of  LJ  Kushner  and  Associates,  a  recruitment 
firm  for  information  security  professionals. 
“Your  current  state  of  the  organization  has  a 
lot  to  do  with  who  you  can  bring  in.” 

Kushner  says  one  of  the  battles  organiza¬ 
tions  face  when  trying  to  build  their  security 
team  is  the  concept  of  internal  equity.  When 
recruiting  for  a  security  position,  often  it  turns 
out  that  talent  outside  the  company  is  earn¬ 
ing  more  than  the  people  inside  the  company. 
Obviously,  this  creates  conflict  between 
human  resources,  the  recruitment  team  and 
the  security  department. 

“I  think  it’s  important  today  for  CSOs  and 
CISOs  to  have  better  understanding  of  the 
market  value  of  the  skills  of  their  security  em¬ 
ployees  and  be  able  to  make  the  case  to  their 


16  www.csoonline.com  DECEMBER  2012  /  JANUARY  2013 


Want  to  be 
in  the  know 
about  the 
latest 
security 
topics  and 
trends? 


Become  a  CSO 

You’ll  gain  exclusive  access  to  premium 
content  and  resources,  including: 


■  What  to  buy.  In-depth  reviews  of  security 
and  IT  solutions 

■  Executive  and  Peer  Interviews  and  Insights. 
Deep  dives  with  the  industry’s  top  thinkers 

■  Practical  tips.  How-to  articles  for  security 
and  IT  professionals 

■  Exclusive  research  &  analysis.  Incisive  reports, 
case  studies,  and  more 

■  How  to  get  ahead.  Career  advice  from  industry 
experts  and  peers 

■  Invitations  to  select  events.  Get  the  inside  edge 


To  register  for  Insider  exclusive  content  visit: 

www.csoonline.com/insiders/index 


Lead 


management  for  reexamining  their  compen¬ 
sation,  so  they  aren’t  put  in  position  where 
they  have  retention  issues.” 

Kushner  also  says  the  poor  economy  has 
given  many  organizations  the  false  impression 
that  they  can  get  talent  for  lower  salaries. 

“I’m  not  going  to  be  so  bold  as  to  say 
there’s  no  unemployment  among  security 
professionals,  but  there  is  negative  unem¬ 
ployment  for  highly  skilled  security  profes¬ 
sionals.  When  people  are  starting  to  add  to 
their  team,  they  have  this  nirvana,  Shangri-la 
profile  they  want  to  recruit  for.  It’s  kind  of  like 
having  champagne  tastes  and  beer  budgets. 
You  get  what  you  pay  for." 

In  other  words,  make  sure  you’re  paying 
your  current  talent,  and  any  future  talent, 
what  they  are  worth-or  someone  else  will. 

Provide  training  and  education. 
“Training  and  education  must  be  a  continu¬ 
ous  process  for  all  security  staff,”  according  to 
Hord  Tipton,  executive  director  of  information 
security  education  and  certification  firm  ISC2. 
“Technology  is  changing  so  rapidly-no  one  can 
keep  up  with  everything  that  is  changing  and 
evolving.  To  a  degree,  a  well-rounded  security 
program  must  have  specialization.  Although 
organizations  need  people  who  understand 
the  entire  security  process,  they  also  need  peo¬ 
ple  who  are  specialized  and  totally  up-to-date 
in  the  many  areas  that  must  be  well  under¬ 
stood  before  security  can  be  implemented.” 

Offering  your  security  team  the  chance  to 
take  professional  development  and  educa¬ 
tion  courses  keeps  them  feeling  refreshed 
and  challenged.  And  it  obviously  benefits 
the  organization,  too.  Well-rounded  security 
professionals  look  forward  to  the  opportunity 
to  further  hone  their  skills.  If  an  organization 
neglects  their  need  for  frequent  training,  they 
will  go  elsewhere,  says  Tipton. 

“For  example,  the  amount  of  technologies 
that  have  emerged  in  the  last  year  surround¬ 
ing  cloud-based  applications,  social  media, 
virtual  servers,  and  mobile  devices  has  been 
overwhelming,”  says  Tipton.  “We  must  con¬ 
tinually  develop  technical  training  that  is 
specific  to  the  jobs  performed  and  matched 
to  continuing  professional  education  [CPE] 
requirements.  Obtaining  quality  CPE  [courses] 


“It’s  important  to  have 
an  understanding  of 
the  market  value  of 
the  skills  of  security 
employees  to  avoid 
retention  issues.” 

-LEE  KUSHNER,  FOUNDER  AND 
CEO,  LJ  KUSHNER  AND  ASSOCIATES 

is  more  important  now  than  ever.” 

Offer  opportunities  for  growth. 

Sure,  everyone  wants  a  raise  and  a  promotion 
after  proving  themselves  on  the  job,  but  that’s 
not  always  easy,  or  even  possible,  says  Zeltser. 
Organizational  and  financial  constraints  often 
put  the  brakes  on  desired  title  changes. 

Instead,  offering  a  security  team  member 
the  chance  to  work  with  new  technologies,  or 
be  exposed  to  new  challenges,  can  provide  a 
different  kind  of  career  growth  that  can  also 
be  satisfying  and  fulfilling,  says  Zeltser.  It’s  re¬ 
ally  up  to  the  individual  to  decide  if  they  want 
to  take  on  more  responsibility  without  an 
actual  promotion,  but  many  will  want  to  do  it 
for  the  challenge. 


“You  might  have  a  person  who  started  as 
an  entry-level  help  desk  technician,  became 
really  good  at  trouble-shooting  desktop- 
related  problems,  started  dealing  with  mal¬ 
ware  in  sections,  and  then  gradually  became 
interested  in  malware  analysis  and  incident 
response.” 

In  that  scenario,  Zeltser  points  out,  the 
employee  has  rounded  out  their  skill  set  and, 
consequently,  gained  career  benefits,  even  if  it 
didn’t  come  with  a  title  change. 

However,  it  is  a  rare  employee  who  will 
keep  taking  on  new  roles  without  at  some 
point  expecting  rewards. 

“If  someone  keeps  adding  to  their  respon¬ 
sibilities  but  knows  there  is  no  chance  for  pro¬ 
motion  and  knows  they  have  hit  a  ceiling,  they 
will  eventually  end  up  leaving" 

Avoid  burnout.  Security  is  a  career 
well-known  for  being  high-stress  and  a  likely 
path  to  burnout.  That  perception  is  backed  by 
a  2010  survey  conducted  by  the  group  of  in¬ 
dustry  experts  who  founded  SecBurnout.org. 
While  the  researches  felt  that  the  124  valid 
responses  they  got  weren’t  enough  to  allow 
them  to  draw  statistically  meaningful  conclu¬ 
sions,  they  were  nonetheless  able  to  make 
some  interesting  observations. 

The  data  revealed  that  almost  13  per¬ 
cent  of  those  surveyed  were  in  what  was 
referred  to  as  a  “red  flag”  area  for  burnout 
and  were  clearly  in  need  of  some  interven¬ 
tion.  A  majority  of  respondents  noted  that 
they  thought  security  was  more  stressful  than 
other  industries. 

A  variety  of  industry-related  stressors 
contribute  to  this  problem.  For  one,  security 
professionals  worry  about  the  impact  to  the 
organization  if  there’s  a  serious  security  event. 
For  another,  they’re  worn  down  by  the  tire¬ 
some  task  of  constantly  having  to  tell  em¬ 
ployees  and  management  “no.” 

Zeltser  suggests  one  way  to  address  this  is 
to  educate  security  team  members  on  how  to 
better  approach  these  situations. 

It’s  rarely  useful  to  simply  tell  somone  “no,” 
says  Zeltser.  “Useful  advice  is,  'You  can't  do  it 
this  way,  and  here  are  the  reasons  why.'  And 
encourage  them  to  find  and  offer  alternatives, 
too,  to  the  issue,  so  it’s  not  just  saying  'no.'” 


18  www.csoonline.com  December  2012  /  January  2013 


Thinkstock 


It’s  Time  to  Start  Patching  the  Human  OS 


COMPUTERS  AND  MOBILE  DEVICES  STORE,  PROCESS 
and  transfer  highly  valuable  information.  As  a  result,  your  organiza¬ 
tion  most  likely  invests  a  great  deal  in  protecting  them.  Protect  the 
end  point  and  you  protect  the  information.  Humans  also  store,  pro¬ 
cess  and  transfer  information-people  are  in  many  ways  are  noth¬ 
ing  more  than  another  operating  system,  the  Human  OS. 

Yet  if  you  compare  how  much  organizations  invest  in  securing 
their  computers  versus  how  much  effort  they  put  into  teaching 
employees  how  to  safeguard  information,  you  would  be  stunned 
at  the  difference.  For  example,  organizations  typically  invest  in  the 
following  resources  to  protect  an  end  device: 


antivirus  software 
patch  management 
virtual  private  networks 
host-based  prevention 
systems 


two-factor  authentication 
vulnerability  scanning 
end-point  encryption 
log  monitoring 


Now  go  down  that  list  and  add  up  the  cost  for  securing  each  com¬ 
puter.  Then  add  support  contracts,  help  desk  phone  calls,  and  how 
many  full-time  employees  it  takes  to  maintain  all  of  this  technol¬ 
ogy.  You  probably  end  up  spending  $100  or  $200  a  device. 

Now,  let’s  go  through  the  exact  same  process  for  people.  How 
much  to  secure  each  employee?  Hear  those  crickets  chirping?  Your 
organization  is  most  likely  spending  20  to  50  times  more  on  secur¬ 
ing  computers  than  on  securing  the  Human  OS,  if  it’s  working  with 
those  employees  at  all. 

If  finding  the  dollar  amount  for  each  computer  is  too  com¬ 
plex,  try  a  simpler  metric.  Count  how  many  people  you  have  on 
your  information  security  team.  Now,  out  of  all  those  people,  how 


many  focus  on  securing  technology  and  how  many  on  securing  the 
Human  OS?  You  probably  will  end  up  with  a  very  similar  metric, 
something  like  20-1  or  50-1.  And  organizations  still  wonder  why  the 
human  is  the  weakest  link. 

Technology  is  important,  and  we  must  continue  to  invest  in  and 
protect  it.  However,  eventually  you  hit  a  point  of  diminishing  re¬ 
turns.  We  have  to  invest  in  securing  the  Human  OS  as  well,  or  bad 
guys  will  continue  to  bypass  all  of  our  controls  by  simply  compro¬ 
mising  the  human  end-point. 

Think  of  it  in  these  terms:  Fifteen  years  ago  was  the  wild,  wild 
West  of  hacking,  the  golden  age  of  worms.  Cyberattackers  could 
easily  compromise  millions  of  systems  by  randomly  scanning  every 
system  on  the  Internet  and  break  into  anything  that  was  vulner¬ 
able,  which  was  most  systems  in  those  days.  We  in  the  security 
community  felt  a  great  deal  of  pain  and  invested  heavily  in  secur¬ 
ing  computers.  Nowadays,  computers  come  out  of  the  box  with 
firewalls,  minimized  services,  automated  patching  and  memory 
randomization.  Fifteen  years  later,  it  has  become  much  harder  to 
compromise  a  computer. 

But  in  those  same  fifteen  years,  what  have  we  done  for  the 
Human  OS?  Nothing.  As  a  result,  the  Human  OS  is  still  stuck  in  the 
days  of  Windows95,  WinNT  or  Solaris  2.5.  There  is  no  firewall  on  by 
default,  all  the  services  are  enabled,  and  this  operating  system  is 
happy  to  share  data  with  anyone  that  asks. 

Until  we  begin  to  address  the  human  problem,  the  bad  guys  will 
continue  to  have  it  easy. 


■  Lance  Spitzner  is  the  training  director  for  the  SANS  Institute’s 
Securing  the  Human  program. 


December  2012  /  January  2013  www.csoonline.com  19 


DE  AS 


LAST  YEAR’S  COL- 
lection  of  great  ideas  was 
so  well  received  that  we 
decided  to  do  an  encore. 

We’ve  scoured  our  archives  for 
ideas  from  CSOs,  academics,  consul¬ 
tants  and  philosophers,  for  concepts 
big  and  small.  What  these  ideas  have 
in  common  is  the  ability  to  elevate 
your  department  and  your  career. 

So  grab  your  highlighter,  start  each 
day  by  reading  until  you  hit  an  idea 
that  challenges  you,  mark  it,  and  try  it. 
Rinse  and  repeat. 


mtmm 


mm 


mmm 

mmm 

MM 


IGet  an  MBA. 

Might  as  well  lead  with  the  most 
ambitious  idea.  It’s  not  enough  to 
learn  some  business  buzzwords — in 
fact,  just  spouting  jargon  may  cause 
more  problems  than  it  solves.  CSO 
Tim  Williams  urges  his  security  team 
to  pursue  MBAs  to  gain  an  in-depth 
understanding  of  business  principles 
www.csoonline.com/article/688812 


mu mz 


m 


2  Cut  everybody’s  speaking 
time  to  5  minutes  in 
this  month’s  meetings. 


Experiment:  Before  your  next  status 
meeting,  rule  that  each  speaker  has 
only  five  minutes  to  speak.  Enforce 


December  2012  /  January  2013  www.csoonline.com  21 


Cover  Story 


this  limit  without  exception,  ideally 
by  putting  a  kitchen  timer  on  the 
conference  table.  See  if  you  get  the 
same  amount  of  information,  and 
whether  it  clarifies  and  prioritizes  ev¬ 
eryone’s  thinking  as  they  prepare  for 
the  meeting.  If  the  rule  works,  keep  it. 

3  Encrypt  sensitive 
data  before  sending 
it  to  your  cloud  provider. 

www.csoonline.com/article/717307 

Update  your  Business 
Impact  Analysis  (BIA). 

In  disaster-recovery  or  -mitigation 
efforts,  prioritization  is  the  key.  Kel¬ 
ley  Okolita,  author  of  Building  an 
Enterprise-Wide  Business  Continu¬ 
ity  Program,  says  your  BIA  should 
consider:  time  before  impact,  cus¬ 
tomer  impact,  regulatory  impact  and 
financial  impact. 
www.csoonline.com/article/509539 


5  Jazz  up  the  way 
you  present  your 
operational  metrics. 

Try  tree  maps,  heat  maps,  you-are- 
here  graphics,  small-multiple  graphs, 
and  time  series  graphs.  Read  the 
works  of  Edward  Tufte  and  get  a 
copy  of  Andrew  Jaquith’s  Security 
Metrics:  Replacing  Fear,  Uncertainty 
and  Doubt. 

www.csoonline.com/articie/220462 


6  Think  about  managed 
file  transfer  (MFT). 

Some  files  are  too  big  or  too  sensitive 
to  send  by  email — though  employees 
will  try  that  first.  Are  your  employ¬ 
ees  relying  on  Dropbox,  Sharepoint 
or  free  file-transfer  sites?  (Yes.  Yes 
they  are.)  If  this  creates  risk  of  losing 
confidential  data,  an  MFT  product 
may  be  part  of  the  solution. 
www.csoonline.com/article/686193 

7  Implement  CLASP. 

Train  your  software  develop¬ 
ers  to  build  security  code  from  the 
start,  instead  of  relying  on  post¬ 
production  bug  hunts.  CLASP  is  an 
open  software-security  methodology. 
Microsoft’s  Secure  Development 
Lifecycle  is  another.  Point  is,  use  a 
framework. 

www.csoontine.com/article/621496 

Try  mobile  device 
management— as  one  part 
of  your  mobile  security  solution. 

But  don’t  rely  on  it  solely.  CSOs  say 
it’s  only  part  of  the  puzzle. 

9  Use  Group  Policy  to  lock 
down  Internet  Explorer. 

“The  Active  Directory  is  not  only  a 
centralized  directory  service  offering 
authentication  and  authorization 
for  your  Windows  domain,  but  it 
can  also  control  security  policies 
throughout  your  Windows  environ¬ 
ment.  Group  Policy  allows  admin¬ 
istrators  to  centrally  control  the 
configuration  of  Internet  Explorer 
and  thus  efficiently  lock  down  an 
entire  enterprise’s  browsers,”  says 
Joseph  Guarino  of  Evolutionary  IT. 
www.csoonline.com/article/692824 

Educate  employees 
about  the  security 
issues  in  their  own  lives. 

Help  them  spot  social  media  scams, 
ATM  skimmers  and  bad  privacy 
policies.  They’ll  build  better  habits, 


22  www.csoonline.com  December  2012  /  January  2013 


so  data  security  will  be  automatic, 
and  they’ll  be  more  receptive  to  the 
company’s  security  concerns. 

UGive  users 

minimum  privileges. 

“Some  organizations  still  non  desk¬ 
tops  with  administrative  privileges. 
To  avoid  constant  requests  to  install 
or  configure  software,  IT  operations 
sometimes  allow  users  to  install 
whatever  they  like.  Thankfully,  I’m 
seeing  less  and  less  of  this  problem 
in  my  consulting  engagements,  but 
I  do  still  run  into  it,  and  I  laugh  (and 
sometimes  cry  a  bit)  when  I  do.  To 
reduce  the  damage  that  Web-based 
malware  can  wreak,  users  should 
only  be  given  the  minimum  amount 
of  privileges  they  need,”  says  Evolu¬ 
tionary  IT’s  Joseph  Guarino. 
www.csoonline.com/article/692824 


®  &%  Create  your 
own  digital 
forensics  lab. 


For  a  high-end  do-it-yourself 
lab,  you  can  combine  tools  like 
Logicube’s  Portable  Forensic 
Lab,  Accessdata’s  FTK  Imager, 
or  Encase.  To  do  it  on  the  cheap, 
learn  to  use  a  USB  external  hard 
drive  and  some  Windows  Regis¬ 
try  editing  techniques,  says  cor¬ 
porate  investigations  manager 
Brandon  Gregg. 
www.csoonline.com/ 


article/497849 


Visualize  your 
investigations. 


Brandon  Gregg  recommends 
Analyst’s  Notebook  from  IBM 
subsidiary  i2,  but  says  creat¬ 
ing  time  lines,  organizational 
charts  and  asset-allocation 
views  in  Visio,  PowerPoint  or 
Open  Office  Impress  can  help 
make  visual  connections  in  an 
investigation. 


www.csoonline.com/ 


article/534215 


Track  online 
info  leaks. 


Try  Monittor.com,  Limewire, 
Addictomatic,  and  (of  course) 
Google  and  Google  Alerts. 
www.csoonline.com/ 


article/493763 


Know  when 
to  stop  adding 
to  your  list  of  risks. 

Alex  Hutton,  of  the  Society  of  Infor¬ 
mation  Risk  Analysts,  says  many 
organizations,  when  evaluating  the 
risks  they  face,  focus  too  heavily 
on  listing  and  ranking  every  single 
thing  that  could  go  wrong.  This  list  is 
called  a  risk  register. 

“The  problem  with  creating  a 
risk  register  is  that  people  never 
know  quite  when  to  stop.  They’ll 
keep  piling  on  risks,  even  the  most 
obscure,  from  cyberattackers  with 
every  conceivable  motivation  to 
the  possibility  of  a  jet  engine  falling 
through  the  roof  of  the  data  center,” 
Hutton  says. 

“Very  esoteric  risks  are  things 
that  make  it  into  risk  registers.  But 
they’re  often  very  low-probability 


events  that  could  cost  a  bajillion 
dollars  to  mitigate,”  he  says. 

www.csoonline.com/article/717341 

Find  ways  to  improve 
the  performance  of 
your  virtualization  setup. 

“In  many  IT  organizations,  every 
server  updates  its  antivirus  signa¬ 
ture  files  at  the  same  time  every  day, 
resulting  in  25  or  50  virtual  machines 
launching  the  same  activity  all  at 
once.  This  bogs  down  the  server,  re¬ 
sulting  in  lower  throughput,”  writes 
Bernard  Golden,  vice  president  of 
enterprise  solutions  for  enStratus 
Networks,  which  makes  cloud-man¬ 
agement  software. 

Instead,  make  the  antivirus  scan¬ 
ner  itself  a  single  virtual  machine 
that  serves  the  others  as  needed. 
www.csoonline.com/article/701643 


December  2012  /  January  2013  www.csoonline.com  23 


Cover  Story 


Map  your  business- 
process  flow. 

If  you’re  experiencing  a  particular 
kind  of  loss  throughout  the  company 
that’s  affecting  the  bottom  line,  says 
the  CSO  at  a  Six  Sigma-oriented 
company,  the  first  step  is  to  identify 
all  the  elements  involved  in  that  pro¬ 
cess  and  attack  the  gaps.  “Business 
process  mapping  allows  us  to  focus 
our  efforts  on  specific,  real  defects.” 
www.csoonline.com/articlG/221094 


What  if  your  perimeter  were 
your  only  line  of  defense? 

How  would  it  need  to  be  strength¬ 


ened?  What  tools  would  you  employ? 

Formalize  your  change- 
management  process. 

At  a  large  aerospace  and  defense 
company,  change  management 
requires  that  security  managers 
introduce  a  new  process  to  top-level 
managers— business-unit  CIOs, 
for  example— and  explain  why  it’s 
important  and  demonstrate,  in  clear 
business  terms,  why  they  need  to 
support  it.  Spelling  out  the  logic  be¬ 
hind  a  change  can  help  build  support 
for  it  at  all  levels  of  the  company. 
www.csoonline.com/article/221094 


Piggyback  your 
message. 

When  communicating  to  the  com¬ 
pany  about  the  security  organization, 
it’s  not  a  bad  idea  to  piggyback  your 
information  onto  communiques  that 
a  high-level  executive  is  already  send¬ 
ing  out.  At  a  previous  employer,  CSO 
Jason  Clark  contributed  a  monthly 
column  to  a  newsletter  sent  out  by 
the  number-three  executive.  At  an¬ 
other  company,  he  paired  up  with  the 
CIO’s  ongoing  communications. 
www.csoonline.com/article/69B188 

Be  the  investor! 

Peter  Kuper  says  CSOs  will 
have  to  be  creative  because  there’s 
not  enough  innovation  on  the  prod¬ 
ucts  and  services  side. 

“Stop  looking  for  vendors  and 
start  looking  for  partners.  Why 
wait  to  hear  about  the  coolest  thing 
when  you  can  help  create  it  and  have 
a  stake  in  its  success?  While  the 
cloud  may  bring  even  more  security 
problems,  it  also  provides  startups 
with  an  incredibly  cheap  and  scalable 
resource  for  developing  and  support¬ 
ing  the  innovations  that  are  helping 
offset  some  of  the  reduced  capital  in¬ 
vestment  currently  available,”  he  says. 
www.csoonline.com/artide/697959 

Know  the ‘multiple’ in 
your  cloud  contracts. 

And  benchmark  it  against  three 
other  cloud  users.  Cloud  contracts 
typically  specify  a  “limit  of  liability” — 
an  absolute  maximum  the  cloud 
provider  is  on  the  hook  for  if  there’s  a 
problem.  The  limit  of  liability  is  often 
some  multiple  of  the  annual  revenue 
in  the  contract.  Kris  Herrin,  CTO  of 
Heartland  Payment  Systems,  says 
the  risk  equation  is  way  out  of  whack 
for  cloud  deployments,  meaning 
most  contracts  have  a  low  multiple 
and  therefore  shift  too  much  of  the 
risk  to  the  cloud  consumer. 
www.csoonline.com/artide/690541 


Use  Adversary 
Sequence  Diagrams. 

“Adversary  Sequence  Diagrams 
relate  to  a  specific  type  of  threat 
actor— those  who  use  intrusion  to 
gain  access  to  their  target  asset.  The 
most  valuable  assets  of  organiza¬ 
tions  are  not  located  at  their  front 
gate  at  street  side.  In  order  for  an 
intruder  to  get  to  the  target,  the 
intruder  must  make  his  or  her  way 
from  outside  the  property  through 
various  gates,  doors,  corridors,  and 
then  finally  to  the  target.  This  is  true 
whether  the  attacker  is  a  terrorist, 
criminally  violent  threat  actor,  or 
economic  or  intellectual  property 
criminal,”  writes  Thomas  Norman  in 
his  book  Risk  Analysis  and  Security 
Countermeasure  Selection. 

Diagramming  the  physical  path  an 
attacker  must  take  to  various  targets 
will  help  you  think  through  the  right 
security  measures. 
www.csoonline.com/artide/540063 

Preview  your  plans. 

Don’t  wait  for  your  ten 
minutes  with  the  executive  com¬ 
mittee  before  telling  them  about 
your  plans  and  goals.  Try  to  meet 
one-on-one  beforehand  with  as 
many  of  them  as  you  can.  That’s  your 
chance  to  tailor  your  communication 
to  each  person’s  needs  or  worries. 
Then  you’ll  have  pre-built  support 
when  you  walk  into  the  room  for  the 
big  meeting. 

www.csoonline.com/artide/693188 

Stop  multiplying 
ordinals! 

This  is  a  common  mistake  in  risk- 
management  work.  If  you  rank 
threats’  likelihood  on  a  scale  of  one 
to  ten,  then  similarly  rank  their 
impact,  and  then  multiply  those 
two  rankings— statistically  speak¬ 
ing,  you’ve  practically  generated  a 
random  number. 
www.csoonline.com/artide/717341 


24  www.csoonline.com  December  2012  /  January  2013 


Thinkstock 


Test  your  business 
continuity  plans  with 
these  three  tabletop  scenarios: 

■  There’s  a  chemical  explosion  near 
the  data  center. 

■  Your  primary  supplier  cannot 
deliver  a  critical  component. 

■  An  IT  admin  installs  back  doors 
before  he’s  laid  off. 

www.csoonline.com/article/719385 

Find  out  your  TCOR. 

Any  large  company  has 
“risk  managers” — people  who  pur¬ 
chase  insurance  policies.  Find  yours 
and  ask  them  to  help  you  explore 
your  company’s  Total  Cost  of  Risk 
(TCOR),  a  concept  long  in  use  by 
RIMS,  the  risk  and  insurance  manag¬ 
ers  society. 

This  should  lead  to  productive 
conversation  about  risk  mitigation. 


Know  your 
department’s 
capacity  to  execute. 

“Make  sure  you’ve  signed  up  for 
something  you  can  pull  off,”  advises 
former  CISO  Charlie  Brown. 

“Many  companies  have  these 
gadgets— intrusion  protection  and 
detection,  wireless  security— that 
may  not  reap  all  the  benefits  they 
initially  thought  they  would.  You  put 
in  an  intrusion-prevention  device 
and  put  the  rules  on  it,  and  people 
complain  because  they  can’t  do  this 
or  that,  so  you  turn  off  a  lot  of  the 
features.  You’re  still  paying  mainte¬ 
nance  fees,  but  are  you  using  it  to  do 
what  you  bought  it  to  do? 

“So  don’t  rely  on  security  vendors 
to  provide  ROI  for  you.  Base  it  on 
what  you  believe  you  can  do  based  on 
your  company’s  culture,  your  team’s 
capabilities,  your  team’s  through¬ 
put.  A  lot  of  times,  you  can’t  get  the 
product’s  full  potential  because  you 
just  have  too  many  things  going  on,” 
Brown  explains. 
www.csoonline.com/article/707589 


Don’t  Forget  IP 


6  Think  in  terms  of  protecting  intellectual 
property  (IP),  not  just  data. 

It’s  not  enough  to  just  comply  with  laws  for  protecting  personally  identifiable 
information  (Pll).  Your  intellectual  property  is  in  different  places  and  takes  dif¬ 
ferent  forms  than  Pll  data  does. 
www.csoonline.com/article/699295 

^  n  THOUGHT  EXERCISE:  List  three  reasons 
u  that  Pll  protection  wouldn’t  cover  all  your 
IP,  and  three  places  IP  might  live  that  Pll  doesn’t. 

That  will  put  you  one  step  ahead  of  some  CSOs  we’ve  interviewed,  who  say 
their  organization’s  intellectual  property  is  completely  covered  by  the  defensive 
scheme  developed  to  protect  Pll  and  transactional  data. 


Guard  your  cloud 
API  keys. 


“Many  cloud  services  are  accessed 
using  simple  REST  Web  services 
interfaces,”  explains  Mark  O’Neill, 
CTO  of  Vordel,  an  API-management 
company. 

“These  are  commonly  called  APIs, 
since  they  are  similar  in  concept  to 
the  more  heavyweight  C++  or  Java 


APIs  used  by  programmers,  though 
they  are  much  easier  to  leverage 
from  a  Web  page  or  from  a  mobile 
phone,  hence  their  increasing 
ubiquity.  API  keys  are  used  to  access 
these  services.  These  are  similar  in 
some  ways  to  passwords.” 

And  we  all  know  what  happens 
when  passwords  are  compromised. 
www.csoonline.com/article/660065 


December  2012  /  January  2013  www.csoonline.com  25 


Cover  Story 


“Security  professionals  tend  to 
gravitate  toward  a  cartoonish  vi¬ 
sion  of  end  users — that  they’re  not 
competent  or  they  don’t  understand 
technology,”  says  former  CISO  Scott 
Blake.  “But  that’s  not  true— they  do 
understand  the  need  for  security,  but 
they  chafe  against  it  when  they  don’t 
see  the  value  or  can’t  do  something 
they  want.  It’s  more  of  an  education 


issue  than  anything  else.  Users  have 
a  desire  to  do  the  right  thing.  They 
don’t  want  to  put  the  company  at 
risk,  but  they  need  to  get  their  job 
done,  and  that’s  their  first  priority. 
So  security  professionals  need  to 
make  sure  things  are  as  easy  as  they 
could  possibly  be.” 
www.csoonline.com/articlG/707589 

Formalize  who 
owns  which  risks. 

If  you  want  to  get  someone’s  atten¬ 
tion,  lay  an  issue  right  at  their  front 
door.  When  people  are  feel  ac¬ 
countable,  they  will  take  an  interest 
in— and  hopefully  become  advocates 
for— your  proposal.  For  instance, 
Roland  Cloutier,  CSO  at  ADP,  makes 
a  habit  of  identifying  which  business 
leaders  own  which  risks  and  then 
publicizes  these  assignments. 

“That’s  powerful— people  don’t 
want  to  be  seen  as  responsible  for 
risk,  so  they  become  supporters  in 
helping  to  mitigate  it,”  Cloutier  says. 


“It’s  not  about  fear  and  uncertainty, 
it’s  about  feeling  accountable  for  a 
problem  in  their  area  and  deciding 
they’re  going  to  help  resolve  it.”  The 
technique  encourages  partnership, 
which  drives  the  needed  resources. 
www.csoonline.com/article/693188 

Figure  out  secure 
BYOD— even  if  your 
organization  isn’t  doing  it  yet. 

CSOs  say  you  should  always  be  on 
the  lookout  for  opportunities  to 
enable  and  empower  employees 
instead  of  telling  them  “no.” 

Plus,  the  bring-your-own  device 
trend  looks  close  to  inevitable. 
www.csoonline.com/article/717560 

Review  your  guard 
services  contract. 

Check  for  a  defense  and  indemnifi¬ 
cation  clause,  training  and  perfor¬ 
mance  standards,  a  certificate  of 
liability  insurance,  and  other  details. 

www.csoonline.com/article/221261 


Empty  the  Trash 


Train  employees  on  data  destruction... 

%sl  Whether  it’s  degaussing  or  using  a  software-based  tech¬ 

nique,  don’t  just  say  “dispose  of  data  at  age  X”  and  expect  your  work¬ 
force  will  know  how  to  do  that. 
www.csoonline.com/article/699298 


...Check  your  work... 

M  Assign  a  separate  technician  to  take  a  random  sample  of 
at  least  10  percent  of  deleted  data  and  attempt  to  recover  information 
using  a  commercial  recovery  tool. 


...And  double-check  your 
cloud  providers’  work. 


Make  sure  all  cloud-service  agreements  include  specific  data-destruction 
methods  (not  just  time  frames). 


26  www.csoonline.com  DECEMBER  2012  /  JANUARY  2013 


If  a  rogue  employee  wanted 
to  disrupt  your  business, 
what  would  be  the  easiest 
way  for  him  to  do  that? 

And  what  would  be  the  simplest 
control  to  put  in  place  to  deter  this 
activity? 

Annex  your 
company’s  anti¬ 
counterfeiting  efforts. 

“In  today’s  business  environ¬ 
ment,  business  unit  owners  need 
to  continually  drive  incremental 
value  to  their  organizations.  This 
is  particularly  true  of  operational 
business  units  that  do  not  directly  or 
tangibly  generate  material  growth  in 
revenue — areas  such  as  security.  In 
anti-counterfeiting,  I  realized  there 
was  an  opportunity  to  add  value  to 
the  organization,”  says  an  anony¬ 
mous  CSO. 

“After  my  team’s  success  with  this 
anti-counterfeiting  operation,  I  was 
able  to  convince  our  senior  manage¬ 
ment  to  move  anti-counterfeiting 
operations  out  of  the  legal  depart¬ 
ment  and  into  the  security  realm. 

It  wasn’t  an  easy  sell,  but  it  wasn’t 
that  hard  of  a  sell,  either.  In  fact, 


once  I  started  looking  at  the  issue,  it 
became  obvious  why  my  team  could 
be  successful  fighting  counterfeiting, 
and  why  the  organizational  move  is  a 
logical  step  for  any  brand-conscious 
organization.” 

www.csoonUne.com/articte/332113 

Identify  one  of  your 
ideas  that’s  ahead 
of  its  time— and  table  it. 

“One  mistake  I’ve  made  and  seen 
others  make  is  sticking  to  a  failed 
agenda.  Sometimes  ideas  are  ahead 
of  their  time,  and  people  just  aren’t 
ready  to  accept  them.  Other  times  an 
organizational  culture  just  won’t  ac¬ 
commodate  certain  changes.  These 
are  times  when  the  politically  savvy 
will  shelve  ideas  and  shift  agendas 
rather  than  burn  up  political  capital 
on  no-win  situations.  Later,  when 
the  time  is  right,  you  can  move  on 
your  original  agenda,”  an  anonymous 
CISO  explains. 
www.csoonline.com/article/221341 

Secure  your  board 
of  directors’ 
communication  portal. 

Maybe  you  already  have.  That’s  good. 
Or  maybe  the  portal  was  set  up  by  the 
investor  relations  team,  using  Share- 
Point.  That’s  bad. 

www.csoonline.com/article/702878 

Make  a  new  recruiter 
connection. 

The  best  time  to  do  it  is  when  you 
aren’t  actively  looking. 

www.csoonline.com/article/497227 

Stop  reading  your 
presentation  slides! 

Your  audience  can  read.  If  the  slide  is 
unreadable  at  the  back  of  the  room, 
it’s  useless.  So  make  slides  simple 
and  clear,  and  then  use  the  presenta¬ 
tion  time  to  augment,  emphasize, 
storytell. 

www.csoonline.com/article/677948 


:::  Log  Rhythm 

Take  the  Cyber  Threat 
Readiness  Quiz  at: 
My  Security  Score,  com 


December  2012  /  January  2013,  www.csoonline.com  27 


SYSTEMS  HACKED 


Cover  Story 


Get  Insight 


Build  a  vulnerability- 
countermeasure 
spreadsheet. 


This  document  will  help  you  identify 
gaps  in  your  protective  posture,  as 
well  as  opportunities  where  a  single 
control  can  help  defend  against  mul¬ 
tiple  vulnerabilities. 


www.csoonline.com/article/540063 


~  Si  Test  your  wor^orce- 

Send  a  phishing  email. 
See  how  many  employees  click.  Or 
hire  a  social-engineering  penetration 
tester  to  try  to  walk  through  your 
data  center  by  pretending  to  be  the 
fire  marshal. 

www.csoonline.com/article/692551 


Dig  into  a  new 
framework. 


Maybe  you’re  already  using 
ISO27001.  Or  ITIL.  Or  something 
from  NIST.  Or  a  risk-specific  frame¬ 
work  like  FAIR. 

So  pick  a  different  one  and  start 
reading  up  on  it.  How  is  it  dif¬ 
ferent  from  the  one  you’re  using 
now?  Are  there  ideas  in  there  you 
can  adapt  and  use  in  your  current 
environment? 


Focus  on  visibility  in  cloud  services... 

m f  ‘‘It  is  crucial  that  the  authentication  system  fits  into  the  company’s 
visibility  plan.  There’s  no  reason  not  to  know  very  quickly  of  a  series  of  failed  au¬ 
thentication  attempts,”  even  (or  especially)  in  cloud-based  services,  notes  John 
Kinsella  of  Protected  Industries. 
www.csoonline.com/artide/717307 


...And  in  your  supply  chain. 

One  pharmaceuticals  company  started  looking  into  supply-chain  is¬ 
sues  in  regards  to  customer  service  problems.  The  company  found  that  a  number 
of  its  supply-chain  partners  were  consistently  providing  inflated  lead  times-a 
common  practice  that  suppliers  use  to  avoid  missing  deadlines  or  being  unable 
to  meet  a  spike  in  demand.  However,  the  result  for  the  pharmaceutical  company 
was  an  extra  $100  million  of  inventory  stuffed  in  the  chain.  (This  is  called  the 
“bullwhip  effect,”  in  industry-speak.) 

Better  visibility  will  help  identify  process  changes  that  improve  security— 
and  very  likely  improve  overall  performance.  Which  is  the  holy  grail  for  security 
initiatives. 


THOUGHT 

EXERCISE: 


What  if  every  employee  could 
click  on  every  link  they  see? 


What  kind  of  security  infrastruc¬ 
ture  would  that  require?  (This  tip 
was  suggested  by  Dave  Aitel  of 
Immunity.) 


Review  the 
‘trespass  warning’ 
laws  in  your  state. 


You  may  be  legally  required  to 
formally  notify  someone  that  they’re 
no  longer  allowed  on  the  premises 
when  you’re  trying  to  prevent  them 
from  committing  theft  or  acts  of 
violence. 

www.csoonline.com/artide/220716 


28  www.csoonline.com  December  2012  /  January  2013 


Bannosuke 


This  week,  make  a 
new  risk  friend. 

Find  an  individual  in  some  branch 
of  operational  risk  management 
outside  of  your  own.  Privacy,  records 
management,  environmental  safety, 
loss  prevention,  fraud  detection, 
whatever.  Call  him  or  her.  Make  a  list 
of  questions.  Have  lunch.  Talk  shop. 
www.csoonline.com/article/699791 

Get  emotional. 

t  •  I  “Security  and  IT  people 
tend  to  be  very  analytic,  and  we 
tend  to  want  to  persuade  with  facts 
and  data.  But  getting  a  client  to 
understand  what  they  need  to  do 
to  secure  their  financial  future  is  a 
very  emotional  thing  for  them,  and 
the  same  is  true  in  the  information 
security  world,”  says  former  CISO 
Scott  Blake.  “You  need  to  make  an 
analytical  connection,  but  you  also 
need  that  emotional  connection.  If 
I’d  known  that  when  I  was  a  CISO,  I 
would  have  done  a  lot  more  network¬ 
ing  and  paid  a  lot  more  attention  to 
the  emotional  piece  of  the  case  I  was 
trying  to  make.” 
www.csoonline.com/article/707589 

Tell  a  story. 

Charles  Ponzi  was  origi¬ 
nally  named  Carlo.  He  came  to  the 
United  States  in  1918  and  created 
a  business  telling  investors  their 
money  would  be  doubled  in  90  days. 


Of  course  he  was  taking  money  from 
later  investors  to  pay  off  the  first 
ones.  This  hundred-year-old  scheme 
is  the  same  idea  that  put  Bernie 
Madoff  in  prison  for  a  150-year  sen¬ 
tence.  Easy  money  is  always  a  scam. 

Now  don’t  you  find  that  more 
compelling  than  a  stern  “Don’t  get 
phished!”  warning  poster? 

Your  workforce  will,  too. 

Push  a  vendor  for 
more  openness. 

Take  the  governance,  risk  and 
compliance  (GRC)  field,  for  example. 
“The  platforms  that  are  being  built 
by  most  vendors  are  proprietary,” 
says  CISO  Charlie  Brown.  “On  the 
good  side,  this  means  that  they  come 
with  a  prebuilt  controls  library  and  a 
generic  risk  process.  But  on  the  bad 
side,  this  means  it’s  generally  dif¬ 
ficult  to  extend  or  customize  in  any 
meaningful  way.” 

Brown  says  tools  should  be  built 
on  top  of  open-source  platforms 
where  possible.  For  GRC,  that  would 
mean  open-source  content  manage¬ 
ment.  “This  enables  a  much  wider 
array  of  options  when  it  comes  to 
modules  and  potential  integration,” 
he  says. 

www.csoonline.com/article/714470 

Measure  your 
awareness 

program’s  effectiveness. 

Why  not?  SANS  offers  a  suite  of  free 
tools  at  www.securingthehuman.org. 

www.csoonline.com/article/718903 

(g  ***§  Learn  the  four  types  of 
intellectual  property. 

The  four  legally  defined  categories 
are  patents,  trademarks,  copyright 
and  trade  secrets.  Making  a  legal 
claim  hold  up  in  court  requires  a  cer¬ 
tain  level  of  diligence  in  protecting 
the  intellectual  property  in  question. 
That’s  where  you  come  in. 
www.csoonline.com/article/204600 


December  2012  /  January  2013,  www.csoonline.com  29 


:::  Log  Rhythm 

Take  the  Cyber  Threat 
Readiness  Quiz  at: 
MySecurityScore.  com 


DATA  BREACHED 


Cover  Story 


Make  a  Map 


Map  your 
data... 

Map  the  data,  according 
to  Gary  Lynch,  global  head 
of  strategic  consulting  for 
Marsh,  a  security  advisory 
company. 

“How  does  it  get  cre¬ 
ated,  where  does  it  get 
created,  what  happens 
to  it?  You  have  to  look 
at  all  the  stages  of  data 
formation  and  use  all 
the  way  through  to 
disposal,  access,  storage 
and  transmission,”  says 
Lynch. 

Your  intellectual  proper¬ 
ty  data  map  then  becomes 
your  footprint  for  applying 


controls.  (And,  obviously, 
the  data  map  itself  will  be 
a  very  sensitive  document 
that  requires  excellent 
protection.) 
www.csoonline.com/ 
article/699295 

CSCI  ...but 
mf  get  a  lot 
of  buy-in  first. 

Data  mapping  is  difficult, 
says  Bruce  Phillips,  vice 
president  and  information 
security  manager  at  Fidel¬ 
ity  National  Financial. 

“It’s  expensive  to  do, 
especially  if  you  don’t  get 
it  right  the  first  time.  Once 
you  create  it,  it’s  a  living, 


breathing  thing.  You  have 
to  keep  it  up  and  maintain 
it.  You  must  have  a  com¬ 
mitment  to  add  resources 
and  staff  and  time  to  just 
manage  the  data  map 
itself,  no  matter  what  you 
are  doing  it  for.  If  you  do 
a  data  map  to  map  every¬ 
thing  for  [just  one  depart¬ 
ment],  that  is  a  hard  sell 
because  it  is  expensive.  If 
you  don’t  have  multiple 
constituents,  don’t  try  it. 
That’s  my  advice  to  any¬ 
one.  Unless  you  have  a  lot 
of  uses  for  it,  it’s  just  too 
hard  to  do.” 
www.csoonline.com/ 
article/499439 


A  '  i  %  Tryimprov. 

Yup.  Improvisational 
comedy  is  perhaps  the  most  intimi¬ 
dating  form  of  performance.  If  you 
can  do  that,  you  can  present  to  the 
board  without  breaking  a  sweat. 

And  if  you  don’t  want  to  get  on 


stage,  Michael  Santarcangelo  ad¬ 
vises  that  you  at  least  consider  learn¬ 
ing  the  “Yes,  and..!’  technique  that 
underpins  collaboration  in  improv 
theater. 

www.csoonline.com/article/687570 

Make  a  succession  plan. 

This  isn’t  just  about  having 
a  piece  of  paper  that  says  who’s  up 
next.  A  succession  plan  will  help  you 
identify  skill  and  training  gaps  in 
your  staff. 

www.csoonline.com/article/675528 


£*  &  Make  a  list  of  threats 
to  your  brand... 

...that  don’t  require  any  intrusion  by 
the  perpetrator. 

Online  brand  attacks  can  include 
cybersquatting,  the  practice  of 
registering,  trafficking  in  or  using  a 
domain  name  with  intent  to  profit 


from  the  goodwill  of  a  trademark 
belonging  to  someone  else.  In  a 
2009  study,  CMOs  said  brand  value, 
trust,  integrity  and  reputation  are 
significantly  eroded  and  damaged 
as  a  result  of  grey-market  knock¬ 
offs,  phishing  attacks,  cybersquat¬ 
ting,  email  scams,  trademark  abuse, 
copyright  and  patent  infringements, 
and  other  malevolent  forms  of  online 
brand  corruption. 
www.csoonline.com/article/494853 


Try  the  social 
engineering  toolkit. 


It’s  available  for  free  online. 

www.csoonline.com/article/705106 


Review  your  security 
policies  with  input 
from  younger  workers. 

This  doesn’t  necessarily  mean  you’ll 
make  your  policies  more  lax  (after 


30  www.csoonline.com  December  2012  /  January  2013 


all,  SOX  and  HIPAA  haven’t  been 
rewritten  to  accommodate  Millenni- 
als).  But  an  open  conversation  may 
help  you  find  a  phrasing  that  gains 


better  acceptance.  Or  give  you  ideas 
for  how  policies  need  to  evolve. 

blogs.csoonline.com/node/2416 

Read  a  book  that 
you  disagree  with. 

“It  is  the  mark  of  an  educated  mind  to 
be  able  to  entertain  a  thought  with¬ 
out  accepting  it.”  -Aristotle 

Write  a  dozen 
thank-you  notes. 

Not  emails.  Handwritten  notes  on 
paper.  Take  time  to  show  your  ap¬ 
preciation  to  your  colleagues  for  a 
job  well  done. 

Take  a  vacation! 

Refresh  and  recharge. 

’Nuff  said! 

■  Send  feedback  to  Editor  in  Chief  Derek 
Slater  at  dslater@cso.com. 


December  2012  /  January  2013,  www.csoonline.com  31 


:::  Log  Rhythm 

Take  the  Cyber  Threat 
Readiness  Quiz  at: 
MySecurityScore.  com 


ITS  WHEN.  NOT  IF. 

SIEM2.0 


V 


A 


>.  *  * 


. 


The  4th  Annual  CSO  Holiday  Gift  Guidi 


The  Vaporwarealyzer 


4^  A 

B'.r  .f 


When  vendors  blow  smoke,  this 
sophisticated  detection  device 
tells  you  they’re  fibbing. 


5  si  tijgi&SF* 

*  ,3 


SR 


iji* 


r 


CEO 

Hypnoticator 

“These  aren’t  the 
budget  cuts  you’re 
looking  for...” 


The  Smartphone 
Nuke-From- 
Orbitinator 

Mobile  employees 
jeopardizing 
security?  Time  for  a 
little  ‘bring-your-own- 
brick’  policy  enforcement! 


Cloud 

Proctoscope 

So  your  data  is 
in  some  cloud. 
Somewhere.  What 
exactly  is  going 
on  in  there? 


w 


32  www.c8oonline.com  December  2012  /  January  2013 


Thinkstock 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


'£gua*°ing 

£fc 

Aperts, 

'Znht 


yOUft 


ssaS 


Subscribe  today! 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


alert n  n>a‘n,ain  ,ravd  *ndif<, 

■ 

id..  flit's.  n‘arkint,K  e  an* 

-v“,r  *** 

C.I.  r*«Yl  hi.  r  .  r-»/» 


°4r^f 


c°4er^f 

..  CftTVWrvs  , 


For  more  information  please  visit 

www.SecuritySmart.com 


Security  Smart  is  published  by  CS0,  a  business  unit  of  CX0  Media.  ©  2012  CX0  Media  Inc. 


BUSINESS  RISK  LEADERSHIP 


CONFIDENCE:  SECURED 


www.tripwire.com/confidence 


■J*&-  r 


CUSTOMERS 

ARE 

TOO  BUSY 

TO  LISTEN  TO 

THEIR 


WHEN 

SOMETHING’S 

WRONG 

—  IT  NEEDS  TO 

SCREAM 


DWAYNE  MELANgON 

CHIEF  TECHNOLOGY  OFFICER 


... 

. 


In  today’s  business  climate,  confidence  is  directly 
proportional  to  how  well  an  organization  connects  their 
information  security  practices  to  the  highest  levels  of 
their  business.  With  the  right  strategy,  a  company  can 
move  forward  on  their  goals  with  certainty.  Without  one, 
even  the  smallest  breach  can  paralyze  progress.  Tripwire 
takes  the  guesswork  out  of  security  by  making  it  visible, 
measurable  and  actionable.  This  dynamic,  system-wide 
approach  allows  business  to  stay  focused  on  the  game- 
plan  that’s  right  for  their  customers.  It  gives  management 
the  information  it  needs  to  intelligently  visualize 
weaknesses  and  effectively  hold  people  accountable.  And 
most  critically,  it  also  gives  leadership  the  ability  to  clearly 
identify  threats  and  communicate  their  impact  on  the 
business.  To  learn  how  Tripwire  can  deliver  this  confidence 
to  your  company,  visit:  www.tripwire.com/confidence 


